@swarmclawai/swarmclaw 0.4.0 → 0.5.0

package/src/app/api/schedules/[id]/route.ts

@@ -1,31 +1,29 @@
 import { NextResponse } from 'next/server'
 import { loadSchedules, saveSchedules, deleteSchedule } from '@/lib/server/storage'
 import { resolveScheduleName } from '@/lib/schedule-name'
-import { notify } from '@/lib/server/ws-hub'
+import { mutateItem, deleteItem, notFound, type CollectionOps } from '@/lib/server/collection-helpers'
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+const ops: CollectionOps<any> = { load: loadSchedules, save: saveSchedules, deleteFn: deleteSchedule, topic: 'schedules' }
 
 export async function PUT(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
   const body = await req.json()
-  const schedules = loadSchedules()
-  if (!schedules[id]) return new NextResponse(null, { status: 404 })
-
-  const origId = id
-  Object.assign(schedules[id], body)
-  schedules[id].id = origId
-  schedules[id].name = resolveScheduleName({
-    name: schedules[id].name,
-    taskPrompt: schedules[id].taskPrompt,
+  const result = mutateItem(ops, id, (schedule) => {
+    Object.assign(schedule, body)
+    schedule.id = id
+    schedule.name = resolveScheduleName({
+      name: schedule.name,
+      taskPrompt: schedule.taskPrompt,
+    })
+    return schedule
   })
-  saveSchedules(schedules)
-  notify('schedules')
-  return NextResponse.json(schedules[id])
+  if (!result) return notFound()
+  return NextResponse.json(result)
 }
 
 export async function DELETE(_req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const schedules = loadSchedules()
-  if (!schedules[id]) return new NextResponse(null, { status: 404 })
-  deleteSchedule(id)
-  notify('schedules')
-  return NextResponse.json('ok')
+  if (!deleteItem(ops, id)) return notFound()
+  return NextResponse.json({ ok: true })
 }

package/src/app/api/schedules/[id]/run/route.ts

@@ -1,5 +1,6 @@
 import { NextResponse } from 'next/server'
-import crypto from 'crypto'
+import { genId } from '@/lib/id'
+import { notFound } from '@/lib/server/collection-helpers'
 import { loadSchedules, saveSchedules, loadAgents, loadTasks, saveTasks } from '@/lib/server/storage'
 import { enqueueTask } from '@/lib/server/queue'
 import { pushMainLoopEventToMainSessions } from '@/lib/server/main-agent-loop'
@@ -14,7 +15,7 @@ export async function POST(_req: Request, { params }: { params: Promise<{ id: st
   const { id } = await params
   const schedules = loadSchedules()
   const schedule = schedules[id]
-  if (!schedule) return new NextResponse(null, { status: 404 })
+  if (!schedule) return notFound()
 
   const agents = loadAgents()
   const agent = agents[schedule.agentId]
@@ -64,7 +65,7 @@ export async function POST(_req: Request, { params }: { params: Promise<{ id: st
     existingTask.validation = null
     prev.runNumber = schedule.runNumber
   } else {
-    taskId = crypto.randomBytes(4).toString('hex')
+    taskId = genId()
     tasks[taskId] = {
       id: taskId,
       title: `[Sched] ${schedule.name} (run #${schedule.runNumber})`,

package/src/app/api/schedules/route.ts

@@ -1,5 +1,5 @@
 import { NextResponse } from 'next/server'
-import crypto from 'crypto'
+import { genId } from '@/lib/id'
 import { loadSchedules, saveSchedules } from '@/lib/server/storage'
 import { resolveScheduleName } from '@/lib/schedule-name'
 import { findDuplicateSchedule } from '@/lib/schedule-dedupe'
@@ -51,7 +51,7 @@ export async function POST(req: Request) {
     return NextResponse.json(duplicate)
   }
 
-  const id = crypto.randomBytes(4).toString('hex')
+  const id = genId()
 
   let nextRunAt: number | undefined
   if (scheduleType === 'once' && body.runAt) {

package/src/app/api/secrets/[id]/route.ts

@@ -1,29 +1,28 @@
 import { NextResponse } from 'next/server'
 import { loadSecrets, saveSecrets } from '@/lib/server/storage'
+import { mutateItem, deleteItem, notFound, type CollectionOps } from '@/lib/server/collection-helpers'
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+const ops: CollectionOps<any> = { load: loadSecrets, save: saveSecrets }
 
 export async function DELETE(_req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const secrets = loadSecrets()
-  if (!secrets[id]) return new NextResponse(null, { status: 404 })
-  delete secrets[id]
-  saveSecrets(secrets)
-  return NextResponse.json('ok')
+  if (!deleteItem(ops, id)) return notFound()
+  return NextResponse.json({ ok: true })
 }
 
 export async function PUT(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
   const body = await req.json()
-  const secrets = loadSecrets()
-  if (!secrets[id]) return new NextResponse(null, { status: 404 })
-
-  // Update metadata only (not the encrypted value unless a new value is provided)
-  if (body.name !== undefined) secrets[id].name = body.name
-  if (body.service !== undefined) secrets[id].service = body.service
-  if (body.scope !== undefined) secrets[id].scope = body.scope
-  if (body.agentIds !== undefined) secrets[id].agentIds = body.agentIds
-  secrets[id].updatedAt = Date.now()
-  saveSecrets(secrets)
-
-  const { encryptedValue, ...safe } = secrets[id]
+  const result = mutateItem(ops, id, (secret) => {
+    if (body.name !== undefined) secret.name = body.name
+    if (body.service !== undefined) secret.service = body.service
+    if (body.scope !== undefined) secret.scope = body.scope
+    if (body.agentIds !== undefined) secret.agentIds = body.agentIds
+    secret.updatedAt = Date.now()
+    return secret
+  })
+  if (!result) return notFound()
+  const { encryptedValue, ...safe } = result as Record<string, unknown>
   return NextResponse.json(safe)
 }

package/src/app/api/secrets/route.ts

@@ -1,5 +1,5 @@
 import { NextResponse } from 'next/server'
-import crypto from 'crypto'
+import { genId } from '@/lib/id'
 import { loadSecrets, saveSecrets, encryptKey } from '@/lib/server/storage'
 export const dynamic = 'force-dynamic'
 
@@ -18,7 +18,7 @@ export async function GET(_req: Request) {
 
 export async function POST(req: Request) {
   const body = await req.json()
-  const id = crypto.randomBytes(4).toString('hex')
+  const id = genId()
   const now = Date.now()
   const secrets = loadSecrets()
 

package/src/app/api/sessions/[id]/clear/route.ts

@@ -1,10 +1,11 @@
 import { NextResponse } from 'next/server'
 import { loadSessions, saveSessions } from '@/lib/server/storage'
+import { notFound } from '@/lib/server/collection-helpers'
 
 export async function POST(_req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
   const sessions = loadSessions()
-  if (!sessions[id]) return new NextResponse(null, { status: 404 })
+  if (!sessions[id]) return notFound()
   sessions[id].messages = []
   sessions[id].claudeSessionId = null
   sessions[id].codexThreadId = null

package/src/app/api/sessions/[id]/deploy/route.ts

@@ -1,12 +1,13 @@
 import { NextResponse } from 'next/server'
 import { execSync } from 'child_process'
 import { loadSessions } from '@/lib/server/storage'
+import { notFound } from '@/lib/server/collection-helpers'
 
 export async function POST(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
   const sessions = loadSessions()
   const session = sessions[id]
-  if (!session) return new NextResponse(null, { status: 404 })
+  if (!session) return notFound()
 
   const body = await req.json()
   const msg = body.message || 'Deploy from SwarmClaw'

package/src/app/api/sessions/[id]/devserver/route.ts

@@ -1,12 +1,13 @@
 import { NextResponse } from 'next/server'
 import { spawn } from 'child_process'
 import { loadSessions, devServers, localIP } from '@/lib/server/storage'
+import { notFound } from '@/lib/server/collection-helpers'
 
 export async function POST(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
   const sessions = loadSessions()
   const session = sessions[id]
-  if (!session) return new NextResponse(null, { status: 404 })
+  if (!session) return notFound()
 
   const { action } = await req.json()
 

package/src/app/api/sessions/[id]/edit-resend/route.ts

@@ -0,0 +1,22 @@
+import { NextResponse } from 'next/server'
+import { loadSessions, saveSessions } from '@/lib/server/storage'
+import { notFound } from '@/lib/server/collection-helpers'
+
+export async function POST(req: Request, { params }: { params: Promise<{ id: string }> }) {
+  const { id } = await params
+  const body = await req.json() as { messageIndex: number; newText: string }
+  const sessions = loadSessions()
+  const session = sessions[id]
+  if (!session) return notFound()
+
+  const { messageIndex, newText } = body
+  if (typeof messageIndex !== 'number' || messageIndex < 0 || messageIndex >= session.messages.length) {
+    return NextResponse.json({ error: 'Invalid message index' }, { status: 400 })
+  }
+
+  // Truncate messages to messageIndex (discard that msg + everything after)
+  session.messages = session.messages.slice(0, messageIndex)
+  saveSessions(sessions)
+
+  return NextResponse.json({ message: newText })
+}

package/src/app/api/sessions/[id]/fork/route.ts

@@ -0,0 +1,44 @@
+import { NextResponse } from 'next/server'
+import { randomUUID } from 'node:crypto'
+import { loadSessions, saveSessions } from '@/lib/server/storage'
+import { notFound } from '@/lib/server/collection-helpers'
+
+export async function POST(req: Request, { params }: { params: Promise<{ id: string }> }) {
+  const { id } = await params
+  const body = await req.json() as { messageIndex: number }
+  const sessions = loadSessions()
+  const source = sessions[id]
+  if (!source) return notFound()
+
+  const { messageIndex } = body
+  if (typeof messageIndex !== 'number' || messageIndex < 0 || messageIndex >= source.messages.length) {
+    return NextResponse.json({ error: 'Invalid message index' }, { status: 400 })
+  }
+
+  const now = Date.now()
+  const newId = randomUUID()
+  const forked = {
+    id: newId,
+    name: `Fork of ${source.name}`,
+    cwd: source.cwd,
+    user: source.user,
+    provider: source.provider,
+    model: source.model,
+    credentialId: source.credentialId ?? null,
+    fallbackCredentialIds: source.fallbackCredentialIds,
+    apiEndpoint: source.apiEndpoint ?? null,
+    claudeSessionId: null,
+    messages: source.messages.slice(0, messageIndex + 1),
+    createdAt: now,
+    lastActiveAt: now,
+    agentId: source.agentId ?? null,
+    parentSessionId: id,
+    tools: source.tools,
+    conversationTone: source.conversationTone,
+  }
+
+  sessions[newId] = forked
+  saveSessions(sessions)
+
+  return NextResponse.json(forked)
+}

package/src/app/api/sessions/[id]/messages/route.ts

@@ -1,9 +1,27 @@
 import { NextResponse } from 'next/server'
-import { loadSessions } from '@/lib/server/storage'
+import { loadSessions, saveSessions } from '@/lib/server/storage'
+import { notFound } from '@/lib/server/collection-helpers'
 
 export async function GET(_req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
   const sessions = loadSessions()
-  if (!sessions[id]) return new NextResponse(null, { status: 404 })
+  if (!sessions[id]) return notFound()
   return NextResponse.json(sessions[id].messages)
 }
+
+export async function PUT(req: Request, { params }: { params: Promise<{ id: string }> }) {
+  const { id } = await params
+  const body = await req.json() as { messageIndex: number; bookmarked: boolean }
+  const sessions = loadSessions()
+  const session = sessions[id]
+  if (!session) return notFound()
+
+  const { messageIndex, bookmarked } = body
+  if (typeof messageIndex !== 'number' || messageIndex < 0 || messageIndex >= session.messages.length) {
+    return NextResponse.json({ error: 'Invalid message index' }, { status: 400 })
+  }
+
+  session.messages[messageIndex].bookmarked = bookmarked
+  saveSessions(sessions)
+  return NextResponse.json(session.messages[messageIndex])
+}

package/src/app/api/sessions/[id]/retry/route.ts

@@ -1,11 +1,12 @@
 import { NextResponse } from 'next/server'
 import { loadSessions, saveSessions } from '@/lib/server/storage'
+import { notFound } from '@/lib/server/collection-helpers'
 
 export async function POST(_req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
   const sessions = loadSessions()
   const session = sessions[id]
-  if (!session) return new NextResponse(null, { status: 404 })
+  if (!session) return notFound()
 
   const msgs = session.messages
   // Pop trailing assistant messages to find the last user message

package/src/app/api/sessions/[id]/route.ts

@@ -1,7 +1,9 @@
 import { NextResponse } from 'next/server'
 import { loadSessions, saveSessions, deleteSession, active, loadAgents } from '@/lib/server/storage'
+import { notFound } from '@/lib/server/collection-helpers'
 import { enqueueSessionRun } from '@/lib/server/session-run-manager'
 import { normalizeProviderEndpoint } from '@/lib/openclaw-endpoint'
+import { ensureMainSessionFlag, isProtectedMainSession } from '@/lib/server/main-session'
 
 function buildSessionAwakeningPrompt(user: string | null | undefined): string {
   const displayName = typeof user === 'string' && user.trim() ? user.trim() : 'there'
@@ -20,7 +22,8 @@ export async function PUT(req: Request, { params }: { params: Promise<{ id: stri
   const { id } = await params
   const updates = await req.json()
   const sessions = loadSessions()
-  if (!sessions[id]) return new NextResponse(null, { status: 404 })
+  if (!sessions[id]) return notFound()
+  const wasProtectedMain = isProtectedMainSession(sessions[id])
   const hadMessagesBefore = Array.isArray(sessions[id].messages) && sessions[id].messages.length > 0
 
   const agentIdUpdateProvided = updates.agentId !== undefined
@@ -32,7 +35,13 @@ export async function PUT(req: Request, { params }: { params: Promise<{ id: stri
 
   const linkedAgent = nextAgentId ? loadAgents()[nextAgentId] : null
 
-  if (updates.name !== undefined) sessions[id].name = updates.name
+  if (updates.name !== undefined) {
+    const nextName = typeof updates.name === 'string' ? updates.name.trim() : String(updates.name || '')
+    if (wasProtectedMain && nextName !== '__main__') {
+      return new NextResponse('Cannot rename main chat session', { status: 400 })
+    }
+    sessions[id].name = updates.name
+  }
   if (updates.cwd !== undefined) sessions[id].cwd = updates.cwd
   if (updates.provider !== undefined) sessions[id].provider = updates.provider
   else if (agentIdUpdateProvided && linkedAgent?.provider) sessions[id].provider = linkedAgent.provider
@@ -61,8 +70,9 @@ export async function PUT(req: Request, { params }: { params: Promise<{ id: stri
   if (updates.heartbeatIntervalSec !== undefined) sessions[id].heartbeatIntervalSec = updates.heartbeatIntervalSec
   if (updates.pinned !== undefined) sessions[id].pinned = !!updates.pinned
   if (!Array.isArray(sessions[id].messages)) sessions[id].messages = []
+  ensureMainSessionFlag(sessions[id])
 
-  const shouldKickoffAwakening = sessions[id].name === '__main__'
+  const shouldKickoffAwakening = isProtectedMainSession(sessions[id])
     && agentIdUpdateProvided
     && !!sessions[id].agentId
     && !hadMessagesBefore
@@ -91,7 +101,7 @@ export async function PUT(req: Request, { params }: { params: Promise<{ id: stri
 export async function DELETE(_req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
   const sessions = loadSessions()
-  if (sessions[id]?.name === '__main__') {
+  if (isProtectedMainSession(sessions[id])) {
     return new NextResponse('Cannot delete main chat session', { status: 403 })
   }
   if (active.has(id)) {

package/src/app/api/sessions/route.ts

@@ -1,5 +1,5 @@
 import { NextResponse } from 'next/server'
-import crypto from 'crypto'
+import { genId } from '@/lib/id'
 import os from 'os'
 import path from 'path'
 import { loadSessions, saveSessions, deleteSession, active, loadAgents } from '@/lib/server/storage'
@@ -7,6 +7,7 @@ import { WORKSPACE_DIR } from '@/lib/server/data-dir'
 import { notify } from '@/lib/server/ws-hub'
 import { getSessionRunState } from '@/lib/server/session-run-manager'
 import { normalizeProviderEndpoint } from '@/lib/openclaw-endpoint'
+import { ensureMainSessionFlag, isProtectedMainSession } from '@/lib/server/main-session'
 export const dynamic = 'force-dynamic'
 
 
@@ -27,16 +28,18 @@ export async function DELETE(req: Request) {
     return new NextResponse('Missing ids', { status: 400 })
   }
   const sessions = loadSessions()
+  let deleted = 0
   for (const id of ids) {
-    if (sessions[id]?.name === '__main__') continue
+    if (isProtectedMainSession(sessions[id])) continue
     if (active.has(id)) {
       try { active.get(id).kill() } catch {}
       active.delete(id)
     }
     deleteSession(id)
+    deleted += 1
   }
   notify('sessions')
-  return NextResponse.json({ deleted: ids.length })
+  return NextResponse.json({ deleted, requested: ids.length })
 }
 
 export async function POST(req: Request) {
@@ -46,7 +49,7 @@ export async function POST(req: Request) {
   else if (cwd === '~') cwd = os.homedir()
   else if (!cwd) cwd = WORKSPACE_DIR
 
-  const id = body.id || crypto.randomBytes(4).toString('hex')
+  const id = body.id || genId()
   const sessions = loadSessions()
   const agent = body.agentId ? loadAgents()[body.agentId] : null
   const requestedTools = Array.isArray(body.tools) ? body.tools : null
@@ -86,6 +89,7 @@ export async function POST(req: Request) {
     heartbeatEnabled: body.heartbeatEnabled ?? null,
     heartbeatIntervalSec: body.heartbeatIntervalSec ?? null,
   }
+  ensureMainSessionFlag(sessions[id])
   saveSessions(sessions)
   notify('sessions')
   return NextResponse.json(sessions[id])

package/src/app/api/skills/[id]/route.ts

@@ -1,40 +1,42 @@
 import { NextResponse } from 'next/server'
 import { loadSkills, saveSkills, deleteSkill } from '@/lib/server/storage'
 import { normalizeSkillPayload } from '@/lib/server/skills-normalize'
+import { mutateItem, deleteItem, notFound, type CollectionOps } from '@/lib/server/collection-helpers'
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+const ops: CollectionOps<any> = { load: loadSkills, save: saveSkills, deleteFn: deleteSkill }
 
 export async function GET(_req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
   const skills = loadSkills()
-  if (!skills[id]) return new NextResponse(null, { status: 404 })
+  if (!skills[id]) return notFound()
   return NextResponse.json(skills[id])
 }
 
 export async function PUT(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
   const body = await req.json()
-  const skills = loadSkills()
-  if (!skills[id]) return new NextResponse(null, { status: 404 })
-  const normalized = normalizeSkillPayload({ ...skills[id], ...body })
-  skills[id] = {
-    ...skills[id],
-    ...body,
-    name: normalized.name,
-    filename: normalized.filename,
-    description: normalized.description,
-    content: normalized.content,
-    sourceUrl: normalized.sourceUrl,
-    sourceFormat: normalized.sourceFormat,
-    id,
-    updatedAt: Date.now(),
-  }
-  saveSkills(skills)
-  return NextResponse.json(skills[id])
+  const result = mutateItem(ops, id, (skill) => {
+    const normalized = normalizeSkillPayload({ ...skill, ...body })
+    return {
+      ...skill,
+      ...body,
+      name: normalized.name,
+      filename: normalized.filename,
+      description: normalized.description,
+      content: normalized.content,
+      sourceUrl: normalized.sourceUrl,
+      sourceFormat: normalized.sourceFormat,
+      id,
+      updatedAt: Date.now(),
+    }
+  })
+  if (!result) return notFound()
+  return NextResponse.json(result)
 }
 
 export async function DELETE(_req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const skills = loadSkills()
-  if (!skills[id]) return new NextResponse(null, { status: 404 })
-  deleteSkill(id)
+  if (!deleteItem(ops, id)) return notFound()
   return NextResponse.json({ deleted: id })
 }

package/src/app/api/skills/import/route.ts

@@ -1,4 +1,4 @@
-import crypto from 'crypto'
+import { genId } from '@/lib/id'
 import { NextResponse } from 'next/server'
 import { loadSkills, saveSkills } from '@/lib/server/storage'
 import { normalizeSkillPayload } from '@/lib/server/skills-normalize'
@@ -47,7 +47,7 @@ export async function POST(req: Request) {
     })
 
     const skills = loadSkills()
-    const id = crypto.randomBytes(4).toString('hex')
+    const id = genId()
     skills[id] = {
       id,
       name: normalized.name,

package/src/app/api/skills/route.ts

@@ -1,5 +1,5 @@
 import { NextResponse } from 'next/server'
-import crypto from 'crypto'
+import { genId } from '@/lib/id'
 import { loadSkills, saveSkills } from '@/lib/server/storage'
 import { normalizeSkillPayload } from '@/lib/server/skills-normalize'
 export const dynamic = 'force-dynamic'
@@ -12,7 +12,7 @@ export async function GET(_req: Request) {
 export async function POST(req: Request) {
   const body = await req.json()
   const skills = loadSkills()
-  const id = crypto.randomBytes(4).toString('hex')
+  const id = genId()
   const normalized = normalizeSkillPayload(body)
   skills[id] = {
     id,

package/src/app/api/tasks/[id]/approve/route.ts

@@ -1,5 +1,6 @@
 import { NextResponse } from 'next/server'
 import { loadTasks, saveTasks, loadAgents } from '@/lib/server/storage'
+import { notFound } from '@/lib/server/collection-helpers'
 import { notify } from '@/lib/server/ws-hub'
 import { getCheckpointSaver } from '@/lib/server/langgraph-checkpoint'
 
@@ -10,7 +11,7 @@ export async function POST(req: Request, { params }: { params: Promise<{ id: str
 
   const tasks = loadTasks()
   const task = tasks[id]
-  if (!task) return new NextResponse(null, { status: 404 })
+  if (!task) return notFound()
   if (!task.pendingApproval) {
     return NextResponse.json({ error: 'No pending approval on this task' }, { status: 400 })
   }

package/src/app/api/tasks/[id]/route.ts

@@ -1,6 +1,7 @@
-import crypto from 'crypto'
+import { genId } from '@/lib/id'
 import { NextResponse } from 'next/server'
 import { loadTasks, saveTasks } from '@/lib/server/storage'
+import { notFound } from '@/lib/server/collection-helpers'
 import { disableSessionHeartbeat, enqueueTask, validateCompletedTasksQueue } from '@/lib/server/queue'
 import { ensureTaskCompletionReport } from '@/lib/server/task-reports'
 import { formatValidationFailure, validateTaskCompletion } from '@/lib/server/task-validation'
@@ -13,7 +14,7 @@ export async function GET(_req: Request, { params }: { params: Promise<{ id: str
 
   const { id } = await params
   const tasks = loadTasks()
-  if (!tasks[id]) return new NextResponse(null, { status: 404 })
+  if (!tasks[id]) return notFound()
   return NextResponse.json(tasks[id])
 }
 
@@ -21,7 +22,7 @@ export async function PUT(req: Request, { params }: { params: Promise<{ id: stri
   const { id } = await params
   const body = await req.json()
   const tasks = loadTasks()
-  if (!tasks[id]) return new NextResponse(null, { status: 404 })
+  if (!tasks[id]) return notFound()
 
   const prevStatus = tasks[id].status
 
@@ -55,7 +56,7 @@ export async function PUT(req: Request, { params }: { params: Promise<{ id: stri
       tasks[id].error = formatValidationFailure(validation.reasons).slice(0, 500)
       if (!tasks[id].comments) tasks[id].comments = []
       tasks[id].comments.push({
-        id: crypto.randomBytes(4).toString('hex'),
+        id: genId(),
         author: 'System',
         text: `Completion validation failed.\n\n${validation.reasons.map((r) => `- ${r}`).join('\n')}`,
         createdAt: Date.now(),
@@ -88,7 +89,7 @@ export async function PUT(req: Request, { params }: { params: Promise<{ id: stri
 export async function DELETE(_req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
   const tasks = loadTasks()
-  if (!tasks[id]) return new NextResponse(null, { status: 404 })
+  if (!tasks[id]) return notFound()
 
   // Soft delete: move to archived status instead of hard delete
   tasks[id].status = 'archived'

package/src/app/api/tasks/route.ts

@@ -1,5 +1,5 @@
 import { NextResponse } from 'next/server'
-import crypto from 'crypto'
+import { genId } from '@/lib/id'
 import { loadTasks, saveTasks, loadSettings } from '@/lib/server/storage'
 import { enqueueTask, validateCompletedTasksQueue } from '@/lib/server/queue'
 import { ensureTaskCompletionReport } from '@/lib/server/task-reports'
@@ -54,7 +54,7 @@ export async function DELETE(req: Request) {
 
 export async function POST(req: Request) {
   const body = await req.json()
-  const id = crypto.randomBytes(4).toString('hex')
+  const id = genId()
   const now = Date.now()
   const tasks = loadTasks()
   const settings = loadSettings()

package/src/app/api/tts/stream/route.ts

@@ -0,0 +1,48 @@
+import { loadSettings } from '@/lib/server/storage'
+
+export async function POST(req: Request) {
+  const settings = loadSettings()
+  const ELEVENLABS_KEY = settings.elevenLabsApiKey || process.env.ELEVENLABS_API_KEY
+  const ELEVENLABS_VOICE = settings.elevenLabsVoiceId || process.env.ELEVENLABS_VOICE || 'JBFqnCBsd6RMkjVDRZzb'
+
+  if (!ELEVENLABS_KEY) {
+    return new Response('No ElevenLabs API key. Set one in Settings > Voice.', { status: 500 })
+  }
+
+  const { text } = await req.json()
+  if (!text?.trim()) {
+    return new Response('No text provided', { status: 400 })
+  }
+
+  const apiRes = await fetch(
+    `https://api.elevenlabs.io/v1/text-to-speech/${ELEVENLABS_VOICE}/stream`,
+    {
+      method: 'POST',
+      headers: {
+        'xi-api-key': ELEVENLABS_KEY,
+        'Content-Type': 'application/json',
+        'Accept': 'audio/mpeg',
+      },
+      body: JSON.stringify({
+        text: text.slice(0, 2000),
+        model_id: 'eleven_multilingual_v2',
+        voice_settings: { stability: 0.5, similarity_boost: 0.75 },
+        output_format: 'mp3_22050_32',
+      }),
+    },
+  )
+
+  if (!apiRes.ok) {
+    const err = await apiRes.text()
+    return new Response(err, { status: apiRes.status })
+  }
+
+  // Pipe the streaming response directly
+  return new Response(apiRes.body, {
+    headers: {
+      'Content-Type': 'audio/mpeg',
+      'Transfer-Encoding': 'chunked',
+      'Cache-Control': 'no-cache',
+    },
+  })
+}