boost-backend — Agent lifecycle routes with permission integration (issue 4 of 15)

[gabemontero]

Labels: ready-to-code
Depends on: Issue 2

Implement agent CRUD routes with 4-stage lifecycle (Draft → Pending → Published → Archived) and fine-grained permission integration via authorizeLifecycleAction.

Tasks

From openspec/changes/security-safety-governance/tasks.md section 3:

• 3.1-3.7 Implement all agent routes with fine-grained permissions

From openspec/changes/agent-creation-discovery/tasks.md section 4:

• 4.1 Implement 4-stage lifecycle as the only model
• 4.2 Document cascading delete behavior

Specifications

• openspec/changes/security-safety-governance/specs/fine-grained-permissions/spec.md — Agent permission scenarios
• openspec/changes/agent-creation-discovery/design.md — Decision 5 (lifecycle with ownership)
• openspec/changes/agent-creation-discovery/specs/agent-creation-paths/spec.md

[fullsend-ai-triage]

Triage Summary

This issue is blocked by #3298 (Core plugin scaffold, ProviderManager, and security middleware — issue 2 of 15), which is still open.

The agent lifecycle routes (CRUD with 4-stage lifecycle and authorizeLifecycleAction permission integration) depend on the core plugin scaffold, ProviderManager, and security middleware that #3298 is responsible for delivering. Work on this issue cannot meaningfully proceed until that foundation is in place.

Once #3298 is resolved, this issue should be re-triaged to confirm readiness.

---

Labels: This is a new feature request for the boost-backend workspace within the ai-integrations area.