ofiere-openclaw-plugin 4.41.1 → 4.43.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ofiere-openclaw-plugin",
-  "version": "4.41.1",
+  "version": "4.43.0",
   "type": "module",
   "description": "OpenClaw plugin for Ofiere PM - 16 meta-tools covering tasks, agents, projects, scheduling, knowledge, workflows, notifications, memory, prompts, constellation, space file management, execution plan builder, SOP management, agent brain, talent management, and corporate frameworks",
   "keywords": ["openclaw", "ofiere", "project-management", "agents", "plugin"],

package/src/attachments.ts

@@ -15,6 +15,7 @@ import {
   invalidateAgentTier,
 } from "./agent-tier.js";
 import { issueAttachmentToken, verifyAttachmentToken } from "./attach-token.js";
+import { loadSubagentRow, buildStaffPersonaBlock, readDispatchSubagentId, type SubagentRow } from "./staffPersona.js";
 
 interface ToolResult {
   content: Array<{ type: "text"; text: string }>;
@@ -360,8 +361,29 @@ async function buildAttachmentBlock(args: {
   supabase: SupabaseClient;
   userId: string;
   agentId: string;
+  subagentId?: string | null;
 }): Promise<string> {
-  const { supabase, userId, agentId } = args;
+  const { supabase, userId, agentId, subagentId } = args;
+
+  // When a staff dispatch arrives, prefer attachments scoped to the subagent
+  // so a chief and its staff never share an attachment surface implicitly.
+  if (subagentId) {
+    const { data: staffConv } = await supabase
+      .from("conversations")
+      .select("id, attached_sop_ids, attached_framework_ids")
+      .eq("user_id", userId)
+      .eq("agent_id", agentId)
+      .eq("subagent_id", subagentId)
+      .order("updated_at", { ascending: false })
+      .limit(1)
+      .maybeSingle();
+    if (staffConv) {
+      const sopIds: string[] = (staffConv.attached_sop_ids as string[] | null) || [];
+      const fwIds: string[] = (staffConv.attached_framework_ids as string[] | null) || [];
+      return renderBlockForIds({ supabase, userId, sopIds, fwIds });
+    }
+    // No staff-scoped conversation yet — fall through to chief-level lookup.
+  }
 
   // Find the most recently active conversation for this agent. The dashboard
   // bumps `updated_at` whenever a message is sent or attachments change, so
@@ -402,6 +424,36 @@ export function registerAttachmentContextHook(args: {
         }
         if (!resolvedAgentId) return;
 
+        // Cycle 7b — staff persona injection. Only fires when subagent_id is
+        // present in dispatch metadata (task-dispatcher / scheduler / explicit
+        // dispatch params). Plain user chats with the chief never persona-swap.
+        const subagentId = readDispatchSubagentId(ctx);
+        let staffPrefix = "";
+        let staffRow: SubagentRow | null = null;
+        if (subagentId) {
+          staffRow = await loadSubagentRow(supabase, userId, subagentId);
+          if (staffRow && staffRow.chief_agent_id === resolvedAgentId) {
+            staffPrefix = buildStaffPersonaBlock(staffRow) + "\n\n---\n\n";
+            api.logger?.debug?.(
+              `[ofiere-staff] subagent ${subagentId} (${staffRow.name}) reporting to ${resolvedAgentId} — persona injected`,
+            );
+          } else if (staffRow) {
+            api.logger?.warn?.(
+              `[ofiere-staff] subagent ${subagentId} chief_mismatch (got ${staffRow.chief_agent_id}, expected ${resolvedAgentId}) — ignoring persona`,
+            );
+            staffRow = null;
+          } else {
+            api.logger?.warn?.(`[ofiere-staff] subagent ${subagentId} not found — ignoring persona`);
+          }
+        }
+
+        // wrap any return-block with the staff prefix (or pass through unchanged
+        // when no staff dispatch).
+        const wrap = (block: string | undefined | null): { appendSystemContext: string } | undefined => {
+          const finalBlock = staffPrefix + (block || "");
+          return finalBlock ? { appendSystemContext: finalBlock } : undefined;
+        };
+
         // Dispatch-params path: workflow executor + task-dispatcher edge function
         // can stash explicit `attached_sop_ids` / `attached_framework_ids` on the
         // chat.send frame's metadata. When present, prefer them over the
@@ -416,7 +468,16 @@ export function registerAttachmentContextHook(args: {
             sopIds: dispatchIds.sopIds,
             fwIds: dispatchIds.fwIds,
           });
-          return block ? { appendSystemContext: block } : undefined;
+          return wrap(block);
+        }
+
+        // Staff-mode runs bypass the chief-level attachment cache so a chief
+        // and its staff never share a cached attachment block.
+        if (subagentId) {
+          const block = await buildAttachmentBlock({
+            supabase, userId, agentId: resolvedAgentId, subagentId,
+          });
+          return wrap(block);
         }
 
         // Multi-tenant: a single plugin process can serve multiple users — key
@@ -426,7 +487,7 @@ export function registerAttachmentContextHook(args: {
         if (cached) {
           const age = Date.now() - cached.at;
           if (age < ATTACH_CACHE_TTL_MS) {
-            return cached.text ? { appendSystemContext: cached.text } : undefined;
+            return wrap(cached.text);
           }
           if (age < ATTACH_CACHE_STALE_MS) {
             // Refresh in background
@@ -436,13 +497,13 @@ export function registerAttachmentContextHook(args: {
                 attachmentCache.set(cacheKey, { text: fresh, at: Date.now() });
               } catch { /* ignore */ }
             })();
-            return cached.text ? { appendSystemContext: cached.text } : undefined;
+            return wrap(cached.text);
           }
         }
 
         const block = await buildAttachmentBlock({ supabase, userId, agentId: resolvedAgentId });
         attachmentCache.set(cacheKey, { text: block, at: Date.now() });
-        return block ? { appendSystemContext: block } : undefined;
+        return wrap(block);
       } catch (e) {
         api.logger?.debug?.(`[ofiere-attach] before_prompt_build error: ${e instanceof Error ? e.message : e}`);
       }

package/src/staffPersona.ts

@@ -0,0 +1,82 @@
+import type { SupabaseClient } from "@supabase/supabase-js";
+
+export interface SubagentRow {
+  id: string;
+  chief_agent_id: string;
+  name: string;
+  role: string | null;
+  codename: string | null;
+  system_prompt: string | null;
+  mission: string | null;
+  responsibilities: string | null;
+  instructions: string | null;
+  primary_model: string | null;
+  coding_model: string | null;
+  tool_call_model: string | null;
+  function_call_model: string | null;
+  vision_model: string | null;
+  mcp_server_ids: string[] | null;
+}
+
+export async function loadSubagentRow(
+  supabase: SupabaseClient,
+  userId: string,
+  subagentId: string,
+): Promise<SubagentRow | null> {
+  const { data, error } = await supabase
+    .from("agent_subagents")
+    .select(
+      "id, chief_agent_id, name, role, codename, system_prompt, mission, responsibilities, instructions, primary_model, coding_model, tool_call_model, function_call_model, vision_model, mcp_server_ids",
+    )
+    .eq("user_id", userId)
+    .eq("id", subagentId)
+    .maybeSingle();
+  if (error || !data) return null;
+  return data as SubagentRow;
+}
+
+// Cycle 7b — pluck subagent_id from dispatch metadata only. Plain user chats
+// must NOT trigger the staff persona swap or report emission, so we deliberately
+// do not consult ctx.subagentId / ctx.subagent_id at the top level.
+export function readDispatchSubagentId(ctx: any, event?: any): string | null {
+  const candidates: Array<unknown> = [
+    ctx?.metadata?.subagent_id,
+    ctx?.metadata?.dispatch?.subagent_id,
+    ctx?.params?.metadata?.subagent_id,
+    ctx?.payload?.metadata?.subagent_id,
+    ctx?.request?.metadata?.subagent_id,
+    ctx?.options?.metadata?.subagent_id,
+    ctx?.attachments?.subagent_id,
+    ctx?.dispatch?.subagent_id,
+    event?.metadata?.subagent_id,
+    event?.context?.metadata?.subagent_id,
+  ];
+  for (const c of candidates) {
+    if (typeof c === "string" && c.length) return c;
+  }
+  return null;
+}
+
+export function buildStaffPersonaBlock(staff: SubagentRow): string {
+  const lines: string[] = [];
+  lines.push(`# STAFF IDENTITY`);
+  lines.push(
+    `You are **${staff.name}**${staff.role ? ` (${staff.role})` : ""}, a staff member reporting to chief \`${staff.chief_agent_id}\`.`,
+  );
+  lines.push(
+    `You are NOT the chief. Execute the assigned task, then return a structured report. Do not adopt the chief's persona.`,
+  );
+  if (staff.system_prompt?.trim()) {
+    lines.push(``, `## Persona`, staff.system_prompt.trim());
+  }
+  if (staff.mission?.trim()) {
+    lines.push(``, `## Mission`, staff.mission.trim());
+  }
+  if (staff.responsibilities?.trim()) {
+    lines.push(``, `## Responsibilities`, staff.responsibilities.trim());
+  }
+  if (staff.instructions?.trim()) {
+    lines.push(``, `## Operating Instructions`, staff.instructions.trim());
+  }
+  return lines.join("\n");
+}

package/src/tools.ts

@@ -19,6 +19,7 @@ import {
   registerAttachmentContextHook,
 } from "./attachments.js";
 import { invalidateAgentTier } from "./agent-tier.js";
+import { loadSubagentRow, readDispatchSubagentId } from "./staffPersona.js";
 
 // ─── Tool result shape (matches OpenClaw SDK) ────────────────────────────────
 
@@ -38,6 +39,42 @@ function err(message: string): ToolResult {
   };
 }
 
+// ─── Subagent ↔ chief invariant ──────────────────────────────────────────────
+// Mirrors dashboard/lib/subagentValidation.ts. Used by TASK_OPS + SCHEDULE_OPS
+// when a chief delegates work to one of their staff via tool call.
+//
+// Returns:
+//   { ok: true, subagentId: <id> | null } — passed (or no subagent provided)
+//   { ok: false, reason: string }         — invariant violated
+async function validateSubagentForChief(
+  supabase: SupabaseClient,
+  userId: string,
+  subagentIdInput: unknown,
+  chiefAgentId: string | null | undefined,
+): Promise<{ ok: true; subagentId: string | null } | { ok: false; reason: string }> {
+  const subagentId =
+    typeof subagentIdInput === "string" && subagentIdInput.trim()
+      ? subagentIdInput.trim()
+      : null;
+  if (!subagentId) return { ok: true, subagentId: null };
+
+  const { data: sub } = await supabase
+    .from("agent_subagents")
+    .select("id, chief_agent_id")
+    .eq("user_id", userId)
+    .eq("id", subagentId)
+    .maybeSingle();
+
+  if (!sub) {
+    return { ok: false, reason: "subagent_not_found_or_not_yours" };
+  }
+  const chief = (chiefAgentId || "").trim();
+  if (!chief || sub.chief_agent_id !== chief) {
+    return { ok: false, reason: "subagent_chief_mismatch" };
+  }
+  return { ok: true, subagentId };
+}
+
 // ─── Helper: extract calling agent's accountId from OpenClaw context ─────────
 
 // Module-level: set once at registration time from index.ts
@@ -205,8 +242,8 @@ function registerTaskOps(
       `Actions:\n` +
       `- "list": List/filter tasks. Optional: status, agent_id, space_id, folder_id, task_id, limit\n` +
       `- "get": Get a single task by ID. Required: task_id\n` +
-      `- "create": Create a task. Required: title. Optional: agent_id, description, status, priority, space_id, folder_id, start_date, due_date, tags, instructions, execution_plan, goals, constraints, system_prompt, recurrence_type, recurrence_interval, scheduled_time. ⚠️ PLANNING GATE: If the task has 3+ execution steps, goals, or constraints, FIRST ask the user "Plan first or create directly?" If they choose to plan, use OFIERE_PLAN_OPS instead.\n` +
-      `- "update": Update a task. Required: task_id. Optional: all create fields + progress\n` +
+      `- "create": Create a task. Required: title. Optional: agent_id, subagent_id, description, status, priority, space_id, folder_id, start_date, due_date, tags, instructions, execution_plan, goals, constraints, system_prompt, recurrence_type, recurrence_interval, scheduled_time. ⚠️ PLANNING GATE: If the task has 3+ execution steps, goals, or constraints, FIRST ask the user "Plan first or create directly?" If they choose to plan, use OFIERE_PLAN_OPS instead.\n` +
+      `- "update": Update a task. Required: task_id. Optional: all create fields + progress + subagent_id\n` +
       `- "delete": Delete task + subtasks. Required: task_id\n` +
       `- "add_approval": Request approval on a task. Required: task_id, approver_name. Optional: approver_type (human|agent, auto-detected), due_date, comment\n` +
       `- "list_approvals": List approvals. Optional: task_id, approval_status filter (pending|approved|rejected)\n` +
@@ -214,6 +251,7 @@ function registerTaskOps(
       `For complex tasks, fill in execution_plan (step-by-step plan), goals, constraints, and system_prompt to help the executing agent.\n` +
       `For simple tasks, just provide title and optionally description.\n` +
       `agent_id: Pass your name to self-assign, another agent's name, or 'none'.\n` +
+      `subagent_id: When delegating to one of your own staff, pass the staff UUID here AND set agent_id to yourself (or the chief). The staff's chief_agent_id MUST match agent_id or the call rejects with subagent_chief_mismatch. Use OFIERE_AGENT_OPS list_subagents to discover available staff under a chief.\n` +
       `For recurring tasks: set start_date + recurrence_type + recurrence_interval. Example: every 2 minutes = recurrence_type: "minutely", recurrence_interval: 2.\n` +
       `Approvals: Use add_approval to request sign-off from humans or agents. Approvals are separate from workflow gate nodes.\n` +
       `Status: PENDING, IN_PROGRESS, DONE, FAILED | Priority: 0=LOW, 1=MEDIUM, 2=HIGH, 3=CRITICAL`,
@@ -237,6 +275,10 @@ function registerTaskOps(
           type: "string",
           description: "Agent name or ID. Your name to self-assign, 'none' for unassigned.",
         },
+        subagent_id: {
+          type: "string",
+          description: "Staff subagent UUID for delegation. Must belong to the chief in agent_id (verified server-side). Discover available staff via OFIERE_AGENT_OPS list_subagents.",
+        },
         status: {
           type: "string",
           description: "Task status",
@@ -437,6 +479,13 @@ async function handleCreateTask(
 
     const assignee = isUnassigned ? null : await resolveAgent(rawAgentId);
 
+    // ── Subagent delegation: validate staff↔chief invariant ──────────────
+    const subCheck = await validateSubagentForChief(supabase, userId, params.subagent_id, assignee);
+    if (!subCheck.ok) {
+      return err(subCheck.reason);
+    }
+    const subagentId = subCheck.subagentId;
+
     // Build custom_fields from task-ops extended fields
     const cf: Record<string, unknown> = {};
 
@@ -533,6 +582,7 @@ async function handleCreateTask(
       title: params.title,
       description: (params.description as string) || (params.instructions as string) || null,
       agent_id: assignee,
+      subagent_id: subagentId,
       assignee_type: "agent",
       status: (params.status as string) || "PENDING",
       priority: params.priority !== undefined ? params.priority : 1,
@@ -666,6 +716,7 @@ async function handleCreateTask(
           user_id: userId,
           task_id: id,
           agent_id: effectiveAgentId,
+          subagent_id: subagentId,
           title: params.title,
           description: (params.description as string) || (params.instructions as string) || null,
           scheduled_date: scheduledDateFinal,
@@ -743,6 +794,37 @@ async function handleUpdateTask(
     }
     if (params.status === "DONE") updates.completed_at = new Date().toISOString();
 
+    // ── Subagent + chief invariant ───────────────────────────────────────
+    // Mirrors dashboard PATCH: chief change without explicit subagent_id
+    // clears any existing subagent assignment; subagent_id alone validates
+    // against the row's current agent_id.
+    if (params.agent_id !== undefined || params.subagent_id !== undefined) {
+      if (params.agent_id !== undefined && params.subagent_id === undefined) {
+        // Chief switched, no explicit subagent — clear subagent_id.
+        updates.subagent_id = null;
+      } else {
+        let effectiveAgentId: string | null | undefined =
+          params.agent_id !== undefined ? (params.agent_id as string) : undefined;
+        if (effectiveAgentId === undefined) {
+          const { data: row } = await supabase
+            .from("tasks")
+            .select("agent_id")
+            .eq("id", params.task_id as string)
+            .eq("user_id", userId)
+            .maybeSingle();
+          effectiveAgentId = (row?.agent_id as string) ?? null;
+        }
+        const subCheck = await validateSubagentForChief(
+          supabase,
+          userId,
+          params.subagent_id,
+          effectiveAgentId,
+        );
+        if (!subCheck.ok) return err(subCheck.reason);
+        updates.subagent_id = subCheck.subagentId;
+      }
+    }
+
     // If task is being marked DONE or FAILED, auto-complete any linked scheduler events
     if (params.status === "DONE" || params.status === "FAILED") {
       try {
@@ -1093,7 +1175,9 @@ function registerAgentOps(
       `Actions:\n` +
       `- "list": List all top-level agents (chiefs / native + OpenClaw) with their IDs, names, roles, and status. Use this to find the correct agent_id for task assignment.\n` +
       `- "list_subagents": List staff subagents under a chief. Required: chief_agent_id.\n` +
+      `- "get_subagent": Fetch a single subagent's full row (including persona + model overrides + mcp_server_ids). Required: subagent_id.\n` +
       `- "create_subagent": Create a staff subagent under a chief (max 5 per chief). Required: chief_agent_id, name. Optional: role (default "Staff"), codename, color_hex (default "#64748b").\n` +
+      `- "update_subagent": Update a staff subagent's persona, model overrides, MCP allowlist, or identity fields. Required: subagent_id. Any of name, role, codename, color_hex, system_prompt, mission, responsibilities, instructions, primary_model, coding_model, tool_call_model, function_call_model, vision_model, mcp_server_ids may be set.\n` +
       `- "delete_subagent": Remove a staff subagent. Required: subagent_id.\n` +
       `- "invalidate_tier_cache": Flush the plugin's in-process tier resolver cache (5 min TTL). Optional: agent_id to flush a single entry; omit to flush all entries for the calling user. Use after any direct-DB mutation of agent_tier_overrides.`,
     parameters: {
@@ -1103,15 +1187,29 @@ function registerAgentOps(
         action: {
           type: "string",
           description: "The operation to perform",
-          enum: ["list", "list_subagents", "create_subagent", "delete_subagent", "invalidate_tier_cache"],
+          enum: ["list", "list_subagents", "get_subagent", "create_subagent", "update_subagent", "delete_subagent", "invalidate_tier_cache"],
         },
         chief_agent_id: { type: "string", description: "Chief agent ID (required for list_subagents, create_subagent)" },
-        subagent_id: { type: "string", description: "Subagent ID (required for delete_subagent)" },
+        subagent_id: { type: "string", description: "Subagent ID (required for get/update/delete_subagent)" },
         agent_id: { type: "string", description: "Agent ID (optional for invalidate_tier_cache — omit to flush all entries for the user)" },
         name: { type: "string", description: "Subagent display name (required for create_subagent)" },
         role: { type: "string", description: "Subagent role label, e.g. 'Staff', 'Analyst'. Defaults to 'Staff'." },
         codename: { type: "string", description: "Optional subagent codename" },
         color_hex: { type: "string", description: "Optional subagent UI color, default '#64748b'" },
+        system_prompt: { type: "string", description: "Staff persona / identity (Markdown). Optional." },
+        mission: { type: "string", description: "Short-form mission statement. Optional." },
+        responsibilities: { type: "string", description: "Bulleted Markdown list of duties. Optional." },
+        instructions: { type: "string", description: "Detailed how-they-work instructions (Markdown). Optional." },
+        primary_model: { type: "string", description: "Override primary slot. NULL/omit = inherit chief." },
+        coding_model: { type: "string", description: "Override coding slot." },
+        tool_call_model: { type: "string", description: "Override tool-call slot." },
+        function_call_model: { type: "string", description: "Override function-call slot." },
+        vision_model: { type: "string", description: "Override vision slot." },
+        mcp_server_ids: {
+          type: "array",
+          items: { type: "string" },
+          description: "Allowlist of MCP server UUIDs. Reserved for cycle 8 enforcement.",
+        },
       },
     },
     async execute(_id: string, params: Record<string, unknown>) {
@@ -1122,14 +1220,18 @@ function registerAgentOps(
           return handleListAgents(api, supabase, userId, fallbackAgentId);
         case "list_subagents":
           return handleListSubagents(supabase, userId, params);
+        case "get_subagent":
+          return handleGetSubagent(supabase, userId, params);
         case "create_subagent":
           return handleCreateSubagent(supabase, userId, params);
+        case "update_subagent":
+          return handleUpdateSubagent(supabase, userId, params);
         case "delete_subagent":
           return handleDeleteSubagent(supabase, userId, params);
         case "invalidate_tier_cache":
           return handleInvalidateTierCache(userId, params);
         default:
-          return err(`Unknown action "${action}". Valid actions: list, list_subagents, create_subagent, delete_subagent, invalidate_tier_cache`);
+          return err(`Unknown action "${action}". Valid actions: list, list_subagents, get_subagent, create_subagent, update_subagent, delete_subagent, invalidate_tier_cache`);
       }
     },
   });
@@ -1395,8 +1497,8 @@ function registerScheduleOps(
       `Manage calendar events and schedule tasks on the timeline.\n\n` +
       `Actions:\n` +
       `- "list": List events. Optional: start_date, end_date, agent_id\n` +
-      `- "create": Schedule an event. Required: title, scheduled_date. Optional: task_id, agent_id, scheduled_time, duration_minutes, recurrence_type, recurrence_interval, color, priority\n` +
-      `- "update": Update event. Required: id. Optional: title, scheduled_date, scheduled_time, duration_minutes, status, recurrence_type\n` +
+      `- "create": Schedule an event. Required: title, scheduled_date. Optional: task_id, agent_id, subagent_id, scheduled_time, duration_minutes, recurrence_type, recurrence_interval, color, priority\n` +
+      `- "update": Update event. Required: id. Optional: title, scheduled_date, scheduled_time, duration_minutes, status, recurrence_type, agent_id, subagent_id\n` +
       `- "delete": Remove event. Required: id\n` +
       `recurrence_type: none, hourly, daily, weekly, monthly\n` +
       `priority: 0=low, 1=medium, 2=high, 3=critical`,
@@ -1410,6 +1512,7 @@ function registerScheduleOps(
         description: { type: "string" },
         task_id: { type: "string", description: "Link to a task" },
         agent_id: { type: "string", description: "Assigned agent" },
+        subagent_id: { type: "string", description: "Staff subagent UUID for delegation. Must belong to the chief in agent_id (verified server-side)." },
         scheduled_date: { type: "string", description: "Date (YYYY-MM-DD)" },
         scheduled_time: { type: "string", description: "Time (HH:MM)" },
         start_date: { type: "string", description: "List filter: start (YYYY-MM-DD)" },
@@ -1442,6 +1545,15 @@ function registerScheduleOps(
           const pVal = typeof params.priority === "number" ? params.priority
             : priorityMap[String(params.priority || "").toLowerCase()] ?? 0;
 
+          // Validate subagent ↔ chief invariant before insert
+          const evtSubCheck = await validateSubagentForChief(
+            supabase,
+            userId,
+            params.subagent_id,
+            (params.agent_id as string) || null,
+          );
+          if (!evtSubCheck.ok) return err(evtSubCheck.reason);
+
           // Compute next_run_at from scheduled_date + scheduled_time
           let nextRunAt: number | null = null;
           try {
@@ -1461,6 +1573,7 @@ function registerScheduleOps(
             user_id: userId,
             task_id: (params.task_id as string) || null,
             agent_id: (params.agent_id as string) || null,
+            subagent_id: evtSubCheck.subagentId,
             title: params.title,
             description: (params.description as string) || null,
             scheduled_date: params.scheduled_date,
@@ -1498,6 +1611,33 @@ function registerScheduleOps(
                            "recurrence_type", "recurrence_interval", "status", "color", "priority", "agent_id"]) {
             if ((params as any)[f] !== undefined) upd[f] = (params as any)[f];
           }
+
+          // Subagent + chief invariant. Same rule as TASK_OPS update.
+          if (params.agent_id !== undefined || params.subagent_id !== undefined) {
+            if (params.agent_id !== undefined && params.subagent_id === undefined) {
+              upd.subagent_id = null;
+            } else {
+              let effectiveAgent: string | null | undefined =
+                params.agent_id !== undefined ? (params.agent_id as string) : undefined;
+              if (effectiveAgent === undefined) {
+                const { data: row } = await supabase
+                  .from("scheduler_events")
+                  .select("agent_id")
+                  .eq("id", params.id as string)
+                  .eq("user_id", userId)
+                  .maybeSingle();
+                effectiveAgent = (row?.agent_id as string) ?? null;
+              }
+              const evtUpdSub = await validateSubagentForChief(
+                supabase,
+                userId,
+                params.subagent_id,
+                effectiveAgent,
+              );
+              if (!evtUpdSub.ok) return err(evtUpdSub.reason);
+              upd.subagent_id = evtUpdSub.subagentId;
+            }
+          }
           // Map string priority to number if provided
           if (upd.priority !== undefined && typeof upd.priority === "string") {
             const pMap: Record<string, number> = { low: 0, medium: 1, high: 2, critical: 3 };
@@ -5279,6 +5419,66 @@ async function handleDeleteSubagent(supabase: SupabaseClient, userId: string, pa
   } catch (e) { return err(e instanceof Error ? e.message : String(e)); }
 }
 
+async function handleGetSubagent(
+  supabase: SupabaseClient,
+  userId: string,
+  params: Record<string, unknown>,
+): Promise<ToolResult> {
+  try {
+    const subagentId = params.subagent_id as string | undefined;
+    if (!subagentId) return err("Missing required field: subagent_id");
+    const { data, error } = await supabase
+      .from("agent_subagents")
+      .select("*")
+      .eq("user_id", userId)
+      .eq("id", subagentId)
+      .maybeSingle();
+    if (error) return err(error.message);
+    if (!data) return err("subagent_not_found_or_not_yours");
+    return ok({ subagent: data });
+  } catch (e) { return err(e instanceof Error ? e.message : String(e)); }
+}
+
+async function handleUpdateSubagent(
+  supabase: SupabaseClient,
+  userId: string,
+  params: Record<string, unknown>,
+): Promise<ToolResult> {
+  try {
+    const subagentId = params.subagent_id as string | undefined;
+    if (!subagentId) return err("Missing required field: subagent_id");
+
+    const updates: Record<string, unknown> = {};
+    const stringFields = [
+      "name", "role", "codename", "color_hex",
+      "system_prompt", "mission", "responsibilities", "instructions",
+      "primary_model", "coding_model", "tool_call_model", "function_call_model", "vision_model",
+    ] as const;
+    for (const key of stringFields) {
+      if (key in params && params[key] !== undefined) updates[key] = params[key];
+    }
+    if ("mcp_server_ids" in params && Array.isArray(params.mcp_server_ids)) {
+      updates.mcp_server_ids = (params.mcp_server_ids as unknown[]).filter(
+        (x): x is string => typeof x === "string",
+      );
+    }
+    if (Object.keys(updates).length === 0) {
+      return err("no updatable fields provided");
+    }
+
+    const { data, error } = await supabase
+      .from("agent_subagents")
+      .update(updates)
+      .eq("id", subagentId)
+      .eq("user_id", userId)
+      .select()
+      .maybeSingle();
+    if (error) return err(error.message);
+    if (!data) return err("subagent_not_found_or_not_yours");
+    return ok({ subagent: data, updated_fields: Object.keys(updates) });
+  } catch (e) { return err(e instanceof Error ? e.message : String(e)); }
+}
+
 async function handleSOPApplyTemplate(
   supabase: SupabaseClient, userId: string,
   resolveAgent: (id?: string) => Promise<string | null>,
@@ -6331,6 +6531,77 @@ function registerBrainExtractionHook(
 
         api.logger.debug?.(`[ofiere-brain] agent_end identity: ctx.agentId=${ctx?.agentId || "(none)"} event.agentId=${event?.agentId || "(none)"} resolved=${resolvedAgentId}`);
 
+        // ── Cycle 7b — Staff report emit ──
+        // If this agent_end was triggered by a staff dispatch, write a chief-
+        // scoped memory note ("Staff X reported on task Y: ...") and POST a
+        // webhook so the dashboard can surface the report. The staff itself
+        // gets no memory entry (req 3 — staff has no memory of its own).
+        const staffDispatchSubagentId = readDispatchSubagentId(ctx, event);
+        if (staffDispatchSubagentId) {
+          (async () => {
+            try {
+              const staff = await loadSubagentRow(supabase, userId, staffDispatchSubagentId);
+              if (!staff) {
+                api.logger.warn?.(`[ofiere-staff-report] subagent ${staffDispatchSubagentId} not found — skipping report`);
+                return;
+              }
+              if (staff.chief_agent_id !== resolvedAgentId) {
+                api.logger.warn?.(`[ofiere-staff-report] chief_mismatch (subagent ${staffDispatchSubagentId} reports to ${staff.chief_agent_id}, run was on ${resolvedAgentId}) — skipping report`);
+                return;
+              }
+              const taskId =
+                ctx?.metadata?.task_id || ctx?.metadata?.dispatch?.task_id ||
+                event?.metadata?.task_id || event?.context?.metadata?.task_id || null;
+              const excerpt = lastAssistant.slice(0, 1500);
+              const reportBody = taskId
+                ? `Staff ${staff.name}${staff.role ? ` (${staff.role})` : ""} reported on task ${taskId}:\n\n${excerpt}`
+                : `Staff ${staff.name}${staff.role ? ` (${staff.role})` : ""} reported:\n\n${excerpt}`;
+              await supabase.from("agent_memories").insert({
+                user_id: userId,
+                agent_id: staff.chief_agent_id,
+                tier: "L4_episodic",
+                content: reportBody,
+                source: "staff_report",
+                importance: 5,
+                context_key: taskId ? `staff_report:${staffDispatchSubagentId}:${taskId}` : `staff_report:${staffDispatchSubagentId}`,
+              });
+              api.logger.info?.(`[ofiere-staff-report] memory written for chief ${staff.chief_agent_id} from staff ${staff.name}`);
+
+              // Best-effort webhook to dashboard (existing OPENCLAW_WEBHOOK_SECRET).
+              const webhookUrl = process.env.OFIERE_DASHBOARD_WEBHOOK_URL || "";
+              const webhookSecret = process.env.OPENCLAW_WEBHOOK_SECRET || "";
+              if (webhookUrl && webhookSecret) {
+                try {
+                  await fetch(webhookUrl, {
+                    method: "POST",
+                    headers: {
+                      "content-type": "application/json",
+                      authorization: `Bearer ${webhookSecret}`,
+                    },
+                    body: JSON.stringify({
+                      type: "staff_report",
+                      payload: {
+                        user_id: userId,
+                        chief_agent_id: staff.chief_agent_id,
+                        subagent_id: staffDispatchSubagentId,
+                        task_id: taskId,
+                        response: excerpt,
+                      },
+                    }),
+                  });
+                } catch (wErr) {
+                  api.logger.debug?.(`[ofiere-staff-report] webhook post failed: ${wErr instanceof Error ? wErr.message : String(wErr)}`);
+                }
+              }
+            } catch (sErr) {
+              api.logger.warn?.(`[ofiere-staff-report] failed: ${sErr instanceof Error ? sErr.message : String(sErr)}`);
+            }
+          })();
+          // Skip the standard chief memory writes — this run was the staff's,
+          // not the chief's. The chief gets a single L4 report entry above.
+          return;
+        }
+
         // ── Fast Stream: Write L1_focus + L2_episode in parallel ──
         const rawContent = `User: ${lastUser}\nAssistant: ${lastAssistant}`;
         const immediateWrites: PromiseLike<any>[] = [];