bopodev-api 0.1.30 → 0.1.32

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bopodev-api",
-  "version": "0.1.30",
+  "version": "0.1.32",
   "license": "MIT",
   "type": "module",
   "files": [
@@ -8,20 +8,24 @@
     "tsconfig.json"
   ],
   "dependencies": {
+    "archiver": "^7.0.1",
     "cors": "^2.8.5",
     "cron-parser": "^5.3.1",
     "dotenv": "^17.0.1",
     "drizzle-orm": "^0.44.5",
     "express": "^5.1.0",
+    "fflate": "^0.8.2",
     "multer": "^2.1.1",
     "nanoid": "^5.1.5",
     "ws": "^8.19.0",
+    "yaml": "^2.8.3",
     "zod": "^4.1.5",
-    "bopodev-contracts": "0.1.30",
-    "bopodev-db": "0.1.30",
-    "bopodev-agent-sdk": "0.1.30"
+    "bopodev-agent-sdk": "0.1.32",
+    "bopodev-contracts": "0.1.32",
+    "bopodev-db": "0.1.32"
   },
   "devDependencies": {
+    "@types/archiver": "^7.0.0",
     "@types/cors": "^2.8.19",
     "@types/express": "^5.0.3",
     "@types/multer": "^2.1.0",

package/src/app.ts

@@ -2,6 +2,7 @@ import express from "express";
 import type { NextFunction, Request, Response } from "express";
 import { pingDatabase, RepositoryValidationError } from "bopodev-db";
 import type { AppContext } from "./context";
+import { createAssistantRouter } from "./routes/assistant";
 import { createAgentsRouter } from "./routes/agents";
 import { createAuthRouter } from "./routes/auth";
 import { createAttentionRouter } from "./routes/attention";
@@ -10,6 +11,7 @@ import { createGoalsRouter } from "./routes/goals";
 import { createGovernanceRouter } from "./routes/governance";
 import { createHeartbeatRouter } from "./routes/heartbeats";
 import { createIssuesRouter } from "./routes/issues";
+import { createLoopsRouter } from "./routes/loops";
 import { createObservabilityRouter } from "./routes/observability";
 import { createProjectsRouter } from "./routes/projects";
 import { createPluginsRouter } from "./routes/plugins";
@@ -61,9 +63,11 @@ export function createApp(ctx: AppContext) {
 
   app.use("/auth", createAuthRouter(ctx));
   app.use("/attention", createAttentionRouter(ctx));
+  app.use("/assistant", createAssistantRouter(ctx));
   app.use("/companies", createCompaniesRouter(ctx));
   app.use("/projects", createProjectsRouter(ctx));
   app.use("/issues", createIssuesRouter(ctx));
+  app.use("/loops", createLoopsRouter(ctx));
   app.use("/goals", createGoalsRouter(ctx));
   app.use("/agents", createAgentsRouter(ctx));
   app.use("/governance", createGovernanceRouter(ctx));

package/src/lib/instance-paths.ts

@@ -78,6 +78,11 @@ export function resolveAgentMemoryRootPath(companyId: string, agentId: string) {
   return join(resolveAgentFallbackWorkspacePath(companyId, agentId), "memory");
 }
 
+/** Agent operating docs (AGENTS.md, HEARTBEAT.md, etc.) — matches `BOPODEV_AGENT_OPERATING_DIR` at runtime. */
+export function resolveAgentOperatingPath(companyId: string, agentId: string) {
+  return join(resolveAgentFallbackWorkspacePath(companyId, agentId), "operating");
+}
+
 export function resolveCompanyMemoryRootPath(companyId: string) {
   const safeCompanyId = assertPathSegment(companyId, "companyId");
   return join(resolveBopoInstanceRoot(), "workspaces", safeCompanyId, "memory");

package/src/middleware/cors-config.ts

@@ -22,7 +22,7 @@ export function createCorsMiddleware(deploymentMode: DeploymentMode, allowedOrig
       callback(new Error(`CORS origin denied: ${origin}`));
     },
     credentials: true,
-    methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+    methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
     allowedHeaders: [
       "content-type",
       "x-company-id",

package/src/routes/assistant.ts

@@ -0,0 +1,109 @@
+import { Router } from "express";
+import { z } from "zod";
+import {
+  createAssistantThread,
+  getAssistantThreadById,
+  getOrCreateAssistantThread,
+  listAssistantMessages
+} from "bopodev-db";
+import type { AppContext } from "../context";
+import { sendError, sendOk } from "../http";
+import { requireCompanyScope } from "../middleware/company-scope";
+import { ASK_ASSISTANT_BRAIN_IDS, listAskAssistantBrains } from "../services/company-assistant-brain";
+import { getCompanyCeoPersona, runCompanyAssistantTurn } from "../services/company-assistant-service";
+
+const brainEnum = z.enum(ASK_ASSISTANT_BRAIN_IDS);
+
+const postMessageSchema = z.object({
+  message: z.string().trim().min(1).max(16_000),
+  /** Adapter / runtime used to answer (same catalog as hiring an agent). */
+  brain: brainEnum.optional(),
+  /** Active chat thread; omit to use latest-or-create for the company. */
+  threadId: z.string().trim().min(1).optional()
+});
+
+export function createAssistantRouter(ctx: AppContext) {
+  const router = Router();
+  router.use(requireCompanyScope);
+
+  router.get("/brains", (_req, res) => {
+    return sendOk(res, { brains: listAskAssistantBrains() });
+  });
+
+  router.get("/messages", async (req, res) => {
+    const companyId = req.companyId!;
+    const qThread =
+      typeof req.query.threadId === "string" && req.query.threadId.trim() ? req.query.threadId.trim() : "";
+    let thread;
+    if (qThread) {
+      const found = await getAssistantThreadById(ctx.db, companyId, qThread);
+      if (!found) {
+        return sendError(res, "Chat thread not found.", 404);
+      }
+      thread = found;
+    } else {
+      thread = await getOrCreateAssistantThread(ctx.db, companyId);
+    }
+    const rawLimit = Number(req.query.limit ?? 100);
+    const limit = Number.isFinite(rawLimit) ? Math.min(Math.max(Math.floor(rawLimit), 1), 200) : 100;
+    const rows = await listAssistantMessages(ctx.db, thread.id, limit);
+    const ceoPersona = await getCompanyCeoPersona(ctx.db, companyId);
+    return sendOk(res, {
+      threadId: thread.id,
+      ceoPersona,
+      messages: rows.map((m) => ({
+        id: m.id,
+        role: m.role,
+        body: m.body,
+        createdAt: m.createdAt instanceof Date ? m.createdAt.toISOString() : String(m.createdAt),
+        metadata: m.metadataJson ? safeJsonParse(m.metadataJson) : null
+      }))
+    });
+  });
+
+  router.post("/messages", async (req, res) => {
+    const parsed = postMessageSchema.safeParse(req.body);
+    if (!parsed.success) {
+      return sendError(res, parsed.error.message, 422);
+    }
+    const companyId = req.companyId!;
+    const actor = req.actor;
+    const auditActorType =
+      actor?.type === "agent" ? "agent" : actor?.type === "board" || actor?.type === "member" ? "human" : "human";
+    const actorId = actor?.id?.trim() || "unknown";
+    try {
+      const result = await runCompanyAssistantTurn({
+        db: ctx.db,
+        companyId,
+        userMessage: parsed.data.message,
+        actorType: auditActorType,
+        actorId,
+        brain: parsed.data.brain,
+        threadId: parsed.data.threadId
+      });
+      return sendOk(res, result);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      if (message.includes("Missing API key")) {
+        return sendError(res, message, 503);
+      }
+      return sendError(res, message, 422);
+    }
+  });
+
+  router.post("/threads", async (req, res) => {
+    const companyId = req.companyId!;
+    const thread = await createAssistantThread(ctx.db, companyId);
+    return sendOk(res, { threadId: thread.id });
+  });
+
+  return router;
+}
+
+function safeJsonParse(raw: string): unknown {
+  try {
+    return JSON.parse(raw) as unknown;
+  } catch {
+    return null;
+  }
+}

package/src/routes/companies.ts

@@ -1,6 +1,7 @@
 import { mkdir } from "node:fs/promises";
 import type { NextFunction, Request, Response } from "express";
 import { Router } from "express";
+import multer from "multer";
 import { z } from "zod";
 import { CompanySchema } from "bopodev-contracts";
 import { createAgent, createCompany, deleteCompany, listCompanies, updateCompany } from "bopodev-db";
@@ -10,11 +11,29 @@ import { normalizeRuntimeConfig, resolveRuntimeModelForProvider, runtimeConfigTo
 import { buildDefaultCeoBootstrapPrompt } from "../lib/ceo-bootstrap-prompt";
 import { resolveOpencodeRuntimeModel } from "../lib/opencode-model";
 import { resolveDefaultRuntimeCwdForCompany } from "../lib/workspace-policy";
-import { buildCompanyPortabilityExport } from "../services/company-export-service";
 import { canAccessCompany, requireBoardRole, requirePermission } from "../middleware/request-actor";
+import {
+  CompanyFileArchiveError,
+  listCompanyExportManifest,
+  normalizeExportPath,
+  pipeCompanyExportZip,
+  readCompanyExportFileText
+} from "../services/company-file-archive-service";
+import { buildCompanyPortabilityExport } from "../services/company-export-service";
+import { CompanyFileImportError, importCompanyFromZipBuffer } from "../services/company-file-import-service";
 import { ensureCompanyBuiltinPluginDefaults } from "../services/plugin-runtime";
 import { ensureCompanyBuiltinTemplateDefaults } from "../services/template-catalog";
 
+const zipUpload = multer({
+  storage: multer.memoryStorage(),
+  limits: { fileSize: 80 * 1024 * 1024 }
+});
+
+const exportZipBodySchema = z.object({
+  paths: z.array(z.string()).nullable().optional(),
+  includeAgentMemory: z.boolean().optional().default(false)
+});
+
 const DEFAULT_AGENT_PROVIDER_ENV = "BOPO_DEFAULT_AGENT_PROVIDER";
 const DEFAULT_AGENT_MODEL_ENV = "BOPO_DEFAULT_AGENT_MODEL";
 
@@ -54,6 +73,98 @@ export function createCompaniesRouter(ctx: AppContext) {
     );
   });
 
+  router.post("/import/files", requireBoardRole, zipUpload.single("archive"), async (req, res) => {
+    const file = req.file;
+    if (!file?.buffer) {
+      return sendError(res, 'Upload a .zip file in field "archive".', 422);
+    }
+    try {
+      const result = await importCompanyFromZipBuffer(ctx.db, file.buffer);
+      return sendOk(res, result);
+    } catch (err) {
+      const message = err instanceof CompanyFileImportError ? err.message : String(err);
+      return sendError(res, message, 422);
+    }
+  });
+
+  router.get("/:companyId/export/files/manifest", async (req, res) => {
+    const companyId = readCompanyIdParam(req);
+    if (!companyId) {
+      return sendError(res, "Missing company id.", 422);
+    }
+    if (!canAccessCompany(req, companyId)) {
+      return sendError(res, "Actor does not have access to this company.", 403);
+    }
+    const includeAgentMemory = req.query.includeAgentMemory === "1" || req.query.includeAgentMemory === "true";
+    try {
+      const files = await listCompanyExportManifest(ctx.db, companyId, { includeAgentMemory });
+      return sendOk(res, { files, includeAgentMemory });
+    } catch (err) {
+      const message = err instanceof CompanyFileArchiveError ? err.message : String(err);
+      return sendError(res, message, 422);
+    }
+  });
+
+  router.get("/:companyId/export/files/preview", async (req, res) => {
+    const companyId = readCompanyIdParam(req);
+    if (!companyId) {
+      return sendError(res, "Missing company id.", 422);
+    }
+    if (!canAccessCompany(req, companyId)) {
+      return sendError(res, "Actor does not have access to this company.", 403);
+    }
+    const pathRaw = typeof req.query.path === "string" ? req.query.path : "";
+    const includeAgentMemory = req.query.includeAgentMemory === "1" || req.query.includeAgentMemory === "true";
+    const normalizedPath = normalizeExportPath(pathRaw);
+    if (!normalizedPath) {
+      return sendError(res, "Invalid or missing path query parameter.", 422);
+    }
+    try {
+      const preview = await readCompanyExportFileText(ctx.db, companyId, normalizedPath, { includeAgentMemory });
+      if (!preview) {
+        return sendError(res, "File not found in export manifest.", 404);
+      }
+      res.setHeader("content-type", "text/plain; charset=utf-8");
+      return res.status(200).send(preview.content);
+    } catch (err) {
+      const message = err instanceof CompanyFileArchiveError ? err.message : String(err);
+      return sendError(res, message, 422);
+    }
+  });
+
+  router.post("/:companyId/export/files/zip", async (req, res) => {
+    const companyId = readCompanyIdParam(req);
+    if (!companyId) {
+      return sendError(res, "Missing company id.", 422);
+    }
+    if (!canAccessCompany(req, companyId)) {
+      return sendError(res, "Actor does not have access to this company.", 403);
+    }
+    const parsed = exportZipBodySchema.safeParse(req.body ?? {});
+    if (!parsed.success) {
+      return sendError(res, parsed.error.message, 422);
+    }
+    try {
+      const stream = await pipeCompanyExportZip(ctx.db, companyId, {
+        paths: parsed.data.paths ?? null,
+        includeAgentMemory: parsed.data.includeAgentMemory
+      });
+      res.setHeader("Content-Type", "application/zip");
+      res.setHeader("Content-Disposition", `attachment; filename="company-${companyId}-export.zip"`);
+      stream.on("error", () => {
+        if (!res.headersSent) {
+          sendError(res, "Zip stream failed.", 500);
+        } else {
+          res.end();
+        }
+      });
+      stream.pipe(res);
+    } catch (err) {
+      const message = err instanceof CompanyFileArchiveError ? err.message : String(err);
+      return sendError(res, message, 422);
+    }
+  });
+
   router.get("/:companyId/export", async (req, res) => {
     const companyId = readCompanyIdParam(req);
     if (!companyId) {

package/src/routes/loops.ts

@@ -0,0 +1,360 @@
+import { Router } from "express";
+import { appendAuditEvent, listAuditEvents } from "bopodev-db";
+import {
+  WorkLoopCreateRequestSchema,
+  WorkLoopTriggerCreateRequestSchema,
+  WorkLoopUpdateRequestSchema,
+  WorkLoopTriggerUpdateRequestSchema
+} from "bopodev-contracts";
+import type { AppContext } from "../context";
+import { sendError, sendOk } from "../http";
+import { requireCompanyScope } from "../middleware/company-scope";
+import { enforcePermission } from "../middleware/request-actor";
+import {
+  workLoopRuns,
+  workLoops,
+  workLoopTriggers
+} from "bopodev-db";
+import {
+  addWorkLoopTrigger,
+  addWorkLoopTriggerFromPreset,
+  dispatchLoopRun,
+  getWorkLoop,
+  listWorkLoopRuns,
+  listWorkLoops,
+  listWorkLoopTriggers,
+  createWorkLoop,
+  updateWorkLoop,
+  updateWorkLoopTrigger,
+  deleteWorkLoopTrigger
+} from "../services/work-loop-service";
+
+function serializeLoop(row: typeof workLoops.$inferSelect) {
+  let goalIds: string[] = [];
+  try {
+    goalIds = JSON.parse(row.goalIdsJson || "[]") as string[];
+  } catch {
+    goalIds = [];
+  }
+  return {
+    id: row.id,
+    companyId: row.companyId,
+    projectId: row.projectId,
+    parentIssueId: row.parentIssueId,
+    goalIds,
+    title: row.title,
+    description: row.description,
+    assigneeAgentId: row.assigneeAgentId,
+    priority: row.priority,
+    status: row.status,
+    concurrencyPolicy: row.concurrencyPolicy,
+    catchUpPolicy: row.catchUpPolicy,
+    lastTriggeredAt: row.lastTriggeredAt ? row.lastTriggeredAt.toISOString() : null,
+    createdAt: row.createdAt.toISOString(),
+    updatedAt: row.updatedAt.toISOString()
+  };
+}
+
+function serializeTrigger(row: typeof workLoopTriggers.$inferSelect) {
+  return {
+    id: row.id,
+    companyId: row.companyId,
+    workLoopId: row.workLoopId,
+    kind: row.kind,
+    label: row.label,
+    enabled: row.enabled,
+    cronExpression: row.cronExpression,
+    timezone: row.timezone,
+    nextRunAt: row.nextRunAt ? row.nextRunAt.toISOString() : null,
+    lastFiredAt: row.lastFiredAt ? row.lastFiredAt.toISOString() : null,
+    lastResult: row.lastResult,
+    createdAt: row.createdAt.toISOString(),
+    updatedAt: row.updatedAt.toISOString()
+  };
+}
+
+function serializeRun(row: typeof workLoopRuns.$inferSelect) {
+  return {
+    id: row.id,
+    companyId: row.companyId,
+    workLoopId: row.workLoopId,
+    triggerId: row.triggerId,
+    source: row.source,
+    status: row.status,
+    triggeredAt: row.triggeredAt.toISOString(),
+    idempotencyKey: row.idempotencyKey,
+    linkedIssueId: row.linkedIssueId,
+    coalescedIntoRunId: row.coalescedIntoRunId,
+    failureReason: row.failureReason,
+    completedAt: row.completedAt ? row.completedAt.toISOString() : null,
+    createdAt: row.createdAt.toISOString(),
+    updatedAt: row.updatedAt.toISOString()
+  };
+}
+
+export function createLoopsRouter(ctx: AppContext) {
+  const router = Router();
+  router.use(requireCompanyScope);
+
+  router.get("/", async (req, res) => {
+    if (!enforcePermission(req, res, "loops:read")) {
+      return;
+    }
+    const rows = await listWorkLoops(ctx.db, req.companyId!);
+    return sendOk(res, { data: rows.map(serializeLoop) });
+  });
+
+  router.post("/", async (req, res) => {
+    if (!enforcePermission(req, res, "loops:write")) {
+      return;
+    }
+    const parsed = WorkLoopCreateRequestSchema.safeParse(req.body);
+    if (!parsed.success) {
+      return sendError(res, parsed.error.message, 422);
+    }
+    try {
+      const row = await createWorkLoop(ctx.db, {
+        companyId: req.companyId!,
+        projectId: parsed.data.projectId,
+        parentIssueId: parsed.data.parentIssueId,
+        goalIds: parsed.data.goalIds,
+        title: parsed.data.title,
+        description: parsed.data.description,
+        assigneeAgentId: parsed.data.assigneeAgentId,
+        priority: parsed.data.priority,
+        status: parsed.data.status,
+        concurrencyPolicy: parsed.data.concurrencyPolicy,
+        catchUpPolicy: parsed.data.catchUpPolicy
+      });
+      if (!row) {
+        return sendError(res, "Failed to create work loop.", 500);
+      }
+      await appendAuditEvent(ctx.db, {
+        companyId: req.companyId!,
+        actorType: "human",
+        actorId: req.actor?.id ?? null,
+        eventType: "work_loop.created",
+        entityType: "work_loop",
+        entityId: row.id,
+        correlationId: req.requestId ?? null,
+        payload: { loopId: row.id, title: row.title }
+      });
+      return sendOk(res, { data: serializeLoop(row) });
+    } catch (e) {
+      return sendError(res, e instanceof Error ? e.message : "Failed to create work loop.", 422);
+    }
+  });
+
+  router.get("/:loopId", async (req, res) => {
+    if (!enforcePermission(req, res, "loops:read")) {
+      return;
+    }
+    const loopId = req.params.loopId;
+    const row = await getWorkLoop(ctx.db, req.companyId!, loopId);
+    if (!row) {
+      return sendError(res, "Work loop not found.", 404);
+    }
+    const [triggers, recentRuns] = await Promise.all([
+      listWorkLoopTriggers(ctx.db, req.companyId!, loopId),
+      listWorkLoopRuns(ctx.db, req.companyId!, loopId, 30)
+    ]);
+    return sendOk(res, {
+      data: {
+        ...serializeLoop(row),
+        triggers: triggers.map(serializeTrigger),
+        recentRuns: recentRuns.map(serializeRun)
+      }
+    });
+  });
+
+  router.patch("/:loopId", async (req, res) => {
+    if (!enforcePermission(req, res, "loops:write")) {
+      return;
+    }
+    const parsed = WorkLoopUpdateRequestSchema.safeParse(req.body);
+    if (!parsed.success) {
+      return sendError(res, parsed.error.message, 422);
+    }
+    const row = await updateWorkLoop(ctx.db, req.companyId!, req.params.loopId, parsed.data);
+    if (!row) {
+      return sendError(res, "Work loop not found.", 404);
+    }
+    await appendAuditEvent(ctx.db, {
+      companyId: req.companyId!,
+      actorType: "human",
+      actorId: req.actor?.id ?? null,
+      eventType: "work_loop.updated",
+      entityType: "work_loop",
+      entityId: row.id,
+      correlationId: req.requestId ?? null,
+      payload: { patch: parsed.data }
+    });
+    return sendOk(res, { data: serializeLoop(row) });
+  });
+
+  router.post("/:loopId/run", async (req, res) => {
+    if (!enforcePermission(req, res, "loops:run")) {
+      return;
+    }
+    const loopId = req.params.loopId;
+    const loop = await getWorkLoop(ctx.db, req.companyId!, loopId);
+    if (!loop) {
+      return sendError(res, "Work loop not found.", 404);
+    }
+    const run = await dispatchLoopRun(ctx.db, {
+      companyId: req.companyId!,
+      loopId,
+      triggerId: null,
+      source: "manual",
+      idempotencyKey: req.requestId ? `manual:${loopId}:${req.requestId}` : `manual:${loopId}:${Date.now()}`,
+      realtimeHub: ctx.realtimeHub,
+      requestId: req.requestId
+    });
+    if (!run) {
+      return sendError(res, "Work loop is not active or could not be dispatched.", 409);
+    }
+    await appendAuditEvent(ctx.db, {
+      companyId: req.companyId!,
+      actorType: "human",
+      actorId: req.actor?.id ?? null,
+      eventType: "work_loop.manual_run",
+      entityType: "work_loop",
+      entityId: loopId,
+      correlationId: req.requestId ?? null,
+      payload: { runId: run.id, status: run.status }
+    });
+    return sendOk(res, { data: serializeRun(run) });
+  });
+
+  router.get("/:loopId/runs", async (req, res) => {
+    if (!enforcePermission(req, res, "loops:read")) {
+      return;
+    }
+    const loop = await getWorkLoop(ctx.db, req.companyId!, req.params.loopId);
+    if (!loop) {
+      return sendError(res, "Work loop not found.", 404);
+    }
+    const limit = Math.min(500, Math.max(1, Number(req.query.limit) || 100));
+    const runs = await listWorkLoopRuns(ctx.db, req.companyId!, req.params.loopId, limit);
+    return sendOk(res, { data: runs.map(serializeRun) });
+  });
+
+  router.get("/:loopId/activity", async (req, res) => {
+    if (!enforcePermission(req, res, "loops:read")) {
+      return;
+    }
+    const loopId = req.params.loopId;
+    const loop = await getWorkLoop(ctx.db, req.companyId!, loopId);
+    if (!loop) {
+      return sendError(res, "Work loop not found.", 404);
+    }
+    const events = await listAuditEvents(ctx.db, req.companyId!, 200);
+    const filtered = events.filter((e) => e.entityType === "work_loop" && e.entityId === loopId);
+    return sendOk(res, {
+      data: filtered.map((e) => ({
+        id: e.id,
+        eventType: e.eventType,
+        actorType: e.actorType,
+        actorId: e.actorId,
+        payload: JSON.parse(e.payloadJson || "{}") as Record<string, unknown>,
+        createdAt: e.createdAt.toISOString()
+      }))
+    });
+  });
+
+  router.post("/:loopId/triggers", async (req, res) => {
+    if (!enforcePermission(req, res, "loops:write")) {
+      return;
+    }
+    const loopId = req.params.loopId;
+    const loop = await getWorkLoop(ctx.db, req.companyId!, loopId);
+    if (!loop) {
+      return sendError(res, "Work loop not found.", 404);
+    }
+    const parsed = WorkLoopTriggerCreateRequestSchema.safeParse(req.body);
+    if (!parsed.success) {
+      return sendError(res, parsed.error.message, 422);
+    }
+    try {
+      const body = parsed.data;
+      const trigger =
+        body.mode === "cron"
+          ? await addWorkLoopTrigger(ctx.db, {
+              companyId: req.companyId!,
+              workLoopId: loopId,
+              cronExpression: body.cronExpression,
+              timezone: body.timezone,
+              label: body.label ?? null,
+              enabled: body.enabled
+            })
+          : await addWorkLoopTriggerFromPreset(ctx.db, {
+              companyId: req.companyId!,
+              workLoopId: loopId,
+              preset: body.preset,
+              hour24: body.hour24,
+              minute: body.minute,
+              dayOfWeek: body.preset === "weekly" ? (body.dayOfWeek ?? 1) : undefined,
+              timezone: body.timezone,
+              label: body.label ?? null,
+              enabled: body.enabled
+            });
+      if (!trigger) {
+        return sendError(res, "Failed to create trigger.", 500);
+      }
+      return sendOk(res, { data: serializeTrigger(trigger) });
+    } catch (e) {
+      return sendError(res, e instanceof Error ? e.message : "Failed to create trigger.", 422);
+    }
+  });
+
+  router.patch("/:loopId/triggers/:triggerId", async (req, res) => {
+    if (!enforcePermission(req, res, "loops:write")) {
+      return;
+    }
+    const parsed = WorkLoopTriggerUpdateRequestSchema.safeParse(req.body);
+    if (!parsed.success) {
+      return sendError(res, parsed.error.message, 422);
+    }
+    const loop = await getWorkLoop(ctx.db, req.companyId!, req.params.loopId);
+    if (!loop) {
+      return sendError(res, "Work loop not found.", 404);
+    }
+    try {
+      const row = await updateWorkLoopTrigger(ctx.db, req.companyId!, req.params.triggerId, parsed.data);
+      if (!row || row.workLoopId !== req.params.loopId) {
+        return sendError(res, "Trigger not found.", 404);
+      }
+      return sendOk(res, { data: serializeTrigger(row) });
+    } catch (e) {
+      return sendError(res, e instanceof Error ? e.message : "Failed to update trigger.", 422);
+    }
+  });
+
+  router.delete("/:loopId/triggers/:triggerId", async (req, res) => {
+    if (!enforcePermission(req, res, "loops:write")) {
+      return;
+    }
+    const { loopId, triggerId } = req.params;
+    const loop = await getWorkLoop(ctx.db, req.companyId!, loopId);
+    if (!loop) {
+      return sendError(res, "Work loop not found.", 404);
+    }
+    const deleted = await deleteWorkLoopTrigger(ctx.db, req.companyId!, loopId, triggerId);
+    if (!deleted) {
+      return sendError(res, "Trigger not found.", 404);
+    }
+    await appendAuditEvent(ctx.db, {
+      companyId: req.companyId!,
+      actorType: "human",
+      actorId: req.actor?.id ?? null,
+      eventType: "work_loop.trigger_deleted",
+      entityType: "work_loop",
+      entityId: loopId,
+      correlationId: req.requestId ?? null,
+      payload: { triggerId }
+    });
+    return sendOk(res, { deleted: true });
+  });
+
+  return router;
+}