@swarmclawai/swarmclaw 1.5.53 → 1.5.55

package/README.md

@@ -399,13 +399,27 @@ Operational docs: https://swarmclaw.ai/docs/observability
 
 ## Releases
 
-### v1.5.53 Highlights
+### v1.5.55 Highlights
+
+- **Fix: mission budget updates with decimal values no longer silently fail with a 400.** The mission UI's `numOrNull` parsed user input with `Number.parseFloat`, but the API requires `int()` for `maxTokens`, `maxToolCalls`, `maxWallclockSec`, and `maxTurns`. Typing `1000.5` returned a cryptic Zod error to the toast and the update was lost. Added `intOrNull` (rounds) in `mission-edit-sheet.tsx`, `mission-template-install-dialog.tsx`, and `app/missions/page.tsx`. `maxUsd` still accepts decimals.
+- **Fix: mission edit sheet's connectors dropdown was always empty.** The sheet fetched `/connectors` expecting a `Connector[]`, but the endpoint returns `Record<string, Connector>`. The defensive `Array.isArray` fallback quietly rendered an empty list, so users could not attach report connectors when editing a running mission. Now typed as `Record<string, Connector>` and projected with `Object.values`.
+- **Fix: memory search returns results for short (3-4 char) words like `cats`, `blue`, `dog`.** `buildFtsQuery` had a `unique[0].length >= 5` guard that returned an empty FTS query for any single-token search shorter than 5 chars, silently dropping valid searches. The upstream filter already requires ≥3 chars, so the extra guard just excluded useful queries. Removed; regression tests cover `cats`, `blue`, and `dog`.
+- **Fix: `PUT /api/agents/:id` now validates its body with a Zod schema.** Previously the route did `{...current, ...body}` without validation, so sending `{"tools": "not_an_array"}` silently wiped the agent's tool list to `[]`. Added `AgentUpdateSchema = AgentCreateSchema.partial()` and a filter step that keeps only keys present in the raw body (so Zod defaults do not overwrite untouched fields). Bad types now return a 400 with field-level errors. `updateAgent()` keeps a `current.tools` / `current.extensions` fallback as defense-in-depth for internal callers.
+- **Fix: `PUT /api/tasks/:id` now validates its body with a Zod schema.** Same class of bug: a numeric `title` silently corrupted the stored field. Added `TaskUpdateSchema = TaskCreateSchema.partial().extend({...})` with the update-only fields (`appendComment`, `result`, `error`, lifecycle timestamps) and the same raw-key filter pattern. Bad types now 400 with untouched storage.
+- **Fix: `PUT /api/webhooks/:id` now validates its body with a Zod schema.** Previously `{"events": "not_an_array"}` wiped the events list. Added `WebhookUpdateSchema` and explicit `rawKeys.has(...)` guards in the mutate closure so only fields actually present in the body are applied.
+- **Fix: classifier JSON no longer leaks into assistant responses.** Some Ollama / Ollama Cloud turns were emitting the internal `MessageClassification` object directly into the stream (e.g. `{"taskIntent":"research",...}` prepended to the real reply). The existing stripper only matched when `isDeliverableTask` was the first key, so leaks starting with `taskIntent` sailed through to the user. Replaced the regex with a principled detector that brace-matches candidate JSON (string-quote aware) and validates against `MessageClassificationSchema.safeParse` — the schema itself is the source of truth, so future schema changes can't break detection.
+
+### v1.5.54 Highlights
 
 - **Mission templates library**: the `/missions` page now opens with a curated gallery of starter missions. Each template pre-wires a goal, success criteria, USD / token / turn / wallclock budgets, and a report cadence, so non-technical users can install a working autonomous run in one click. Initial lineup: Daily News Digest, Inbox Triage, Competitor Watch, Weekly Research Report, Social Listener, and Customer Support Triage. Setup notes flag any connector or permission prerequisites before installation. Power-user overrides (budget caps, success criteria, report cadence) live behind a collapsed **Advanced Settings** panel so the default install flow stays one click.
 - **New API routes `GET /api/missions/templates` and `POST /api/missions/templates/:id/instantiate`** with matching CLI commands `swarmclaw missions templates` and `swarmclaw missions instantiate`. Installed missions persist a `templateId` so the origin is traceable for future template-update flows; legacy missions normalize to `templateId: null` on load, no data migration required.
-- **Fix: switching a session's model now sticks in the UI** ([#50](https://github.com/swarmclawai/swarmclaw/pull/50)). The **Switch Model** panel in the agent inspector was reading from `agent.provider` / `agent.model` (the agent's defaults) instead of `session.provider` / `session.model`, so after saving a model switch the collapsed pill still showed the agent default, the combobox reset to the default when reopened, and `selectedProvider` reverted on every save. `ModelSwitcherInline` now uses `session.provider || agent.provider` and `session.model || agent.model` as the source of truth, and its `useEffect` syncs to `session.provider` changes so a successful save updates the panel immediately.
+- **Fix: user-selected provider and model now survive the chat execution pipeline** ([#51](https://github.com/swarmclawai/swarmclaw/pull/51), thanks to [@borislavnnikolov](https://github.com/borislavnnikolov)). Switching provider or model via the inspector panel mid-session was being reverted on every turn because the agent's configured route was unconditionally reapplied in three places. `syncSessionFromAgent` now only syncs credentials / endpoint / fallbacks when the session's provider still matches the route provider, `prepareChatTurn` preserves the user's chosen model after applying the route, and `updateChatSession` auto-resolves a stored credential for the new provider (and clears the stale `apiEndpoint`) when provider changes without an explicit `credentialId`. Restores reliable switching between Copilot CLI, Codex CLI, Groq, and OpenAI-compatible providers.
+
+> **Note:** v1.5.53 release notes described the mission templates library, but the feature commit landed after the v1.5.53 tag was cut. v1.5.54 is the release that actually ships it.
+
+### v1.5.53 Highlights
 
-Thanks to [@borislavnnikolov](https://github.com/borislavnnikolov) for the contribution.
+- **Fix: switching a session's model now sticks in the UI** ([#50](https://github.com/swarmclawai/swarmclaw/pull/50), thanks to [@borislavnnikolov](https://github.com/borislavnnikolov)). The **Switch Model** panel in the agent inspector was reading from `agent.provider` / `agent.model` (the agent's defaults) instead of `session.provider` / `session.model`, so after saving a model switch the collapsed pill still showed the agent default, the combobox reset to the default when reopened, and `selectedProvider` reverted on every save. `ModelSwitcherInline` now uses `session.provider || agent.provider` and `session.model || agent.model` as the source of truth, and its `useEffect` syncs to `session.provider` changes so a successful save updates the panel immediately.
 
 ### v1.5.52 Highlights
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@swarmclawai/swarmclaw",
-  "version": "1.5.53",
+  "version": "1.5.55",
   "description": "Build and run autonomous AI agents with OpenClaw, Hermes, multiple model providers, orchestration, delegation, memory, skills, schedules, and chat connectors.",
   "main": "electron-dist/main.js",
   "license": "MIT",
@@ -80,7 +80,7 @@
     "test:cli": "node --test src/cli/*.test.js bin/*.test.js scripts/postinstall.test.mjs scripts/run-next-build.test.mjs scripts/run-next-typegen.test.mjs",
     "test:setup": "tsx --test src/app/api/setup/check-provider/route.test.ts src/lib/server/provider-model-discovery.test.ts src/components/auth/setup-wizard/utils.test.ts src/components/auth/setup-wizard/types.test.ts src/hooks/setup-done-detection.test.ts src/lib/setup-defaults.test.ts src/lib/server/storage-auth.test.ts src/lib/server/storage-auth-docker.test.ts",
     "test:openclaw": "tsx --test src/lib/openclaw/openclaw-agent-id.test.ts src/lib/openclaw/openclaw-endpoint.test.ts src/lib/server/agents/agent-runtime-config.test.ts src/lib/server/build-llm.test.ts src/lib/server/connectors/connector-routing.test.ts src/lib/server/connectors/openclaw.test.ts src/lib/server/connectors/swarmdock.test.ts src/lib/server/gateway/protocol.test.ts src/lib/server/llm-response-cache.test.ts src/lib/server/mcp-conformance.test.ts src/lib/server/openclaw/agent-resolver.test.ts src/lib/server/openclaw/deploy.test.ts src/lib/server/openclaw/skills-normalize.test.ts src/lib/server/session-tools/openclaw-nodes.test.ts src/lib/server/session-tools/swarmdock.test.ts src/lib/server/tasks/task-quality-gate.test.ts src/lib/server/tasks/task-validation.test.ts src/lib/server/tool-capability-policy.test.ts src/lib/providers/openclaw-exports.test.ts src/app/api/openclaw/dashboard-url/route.test.ts",
-    "test:runtime": "tsx --test src/lib/server/knowledge-sources.test.ts src/lib/server/chat-execution/chat-execution-grounding.test.ts src/lib/server/chat-execution/iteration-timers.test.ts src/lib/server/protocols/protocol-service.test.ts src/lib/server/runtime/run-ledger.test.ts src/lib/server/observability/otel-config.test.ts src/lib/server/safe-parse-body.test.ts src/app/api/approvals/route.test.ts src/app/api/agents/agents-route.test.ts src/app/api/chats/chat-route.test.ts src/app/api/connectors/connector-doctor-route.test.ts src/app/api/healthz/route.test.ts src/app/api/logs/route.test.ts src/app/api/tts/route.test.ts",
+    "test:runtime": "tsx --test src/lib/server/knowledge-sources.test.ts src/lib/server/chat-execution/chat-execution-grounding.test.ts src/lib/server/chat-execution/chat-turn-preparation.test.ts src/lib/server/chat-execution/iteration-timers.test.ts src/lib/server/chat-execution/post-stream-finalization.test.ts src/lib/server/connectors/email.test.ts src/lib/server/protocols/protocol-service.test.ts src/lib/server/runtime/run-ledger.test.ts src/lib/server/observability/otel-config.test.ts src/lib/server/safe-parse-body.test.ts src/app/api/approvals/route.test.ts src/app/api/agents/agents-route.test.ts src/app/api/tasks/tasks-route.test.ts src/app/api/chats/chat-route.test.ts src/app/api/connectors/connector-doctor-route.test.ts src/app/api/healthz/route.test.ts src/app/api/logs/route.test.ts src/app/api/tts/route.test.ts",
     "test:builder": "tsx --test src/features/protocols/builder/utils/nodes-to-template.test.ts src/features/protocols/builder/utils/template-to-nodes.test.ts src/features/protocols/builder/validators/dag-validator.test.ts",
     "test:e2e": "tsx .workbench/browser-e2e/run.ts",
     "test:mcp:conformance": "node --import tsx ./scripts/mcp-conformance-check.ts",

package/src/app/api/agents/[id]/route.ts

@@ -4,6 +4,7 @@ import { trashAgent, updateAgent } from '@/lib/server/agents/agent-service'
 import { loadAgent } from '@/lib/server/agents/agent-repository'
 import { notify } from '@/lib/server/ws-hub'
 import { safeParseBody } from '@/lib/server/safe-parse-body'
+import { AgentUpdateSchema, formatZodError } from '@/lib/validation/schemas'
 
 export async function GET(_req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
@@ -14,9 +15,20 @@ export async function GET(_req: Request, { params }: { params: Promise<{ id: str
 
 export async function PUT(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const { data: body, error } = await safeParseBody(req)
+  const { data: raw, error } = await safeParseBody<Record<string, unknown>>(req)
   if (error) return error
-  const result = updateAgent(id, body as Record<string, unknown>)
+  const parsed = AgentUpdateSchema.safeParse(raw)
+  if (!parsed.success) return NextResponse.json(formatZodError(parsed.error), { status: 400 })
+
+  // Filter to keys actually present in the raw body — zod re-applies `.default(...)`
+  // to absent fields, which would clobber untouched fields on the stored agent.
+  const rawKeys = new Set(Object.keys(raw ?? {}))
+  const body: Record<string, unknown> = {}
+  for (const [key, value] of Object.entries(parsed.data)) {
+    if (rawKeys.has(key)) body[key] = value
+  }
+
+  const result = updateAgent(id, body)
   if (!result) return notFound()
   return NextResponse.json(result)
 }

package/src/app/api/agents/agents-route.test.ts

@@ -4,7 +4,7 @@ import test, { afterEach } from 'node:test'
 // Disable daemon autostart during tests
 process.env.SWARMCLAW_DAEMON_AUTOSTART = '0'
 
-import { GET as getAgent } from './[id]/route'
+import { GET as getAgent, PUT as putAgent } from './[id]/route'
 import { POST as createAgent } from './route'
 import { loadAgents, saveAgents } from '@/lib/server/storage'
 
@@ -112,3 +112,67 @@ test('POST /api/agents rejects missing required fields with a 400', async () =>
   const body = await response.json()
   assert.equal(body.error, 'Validation failed')
 })
+
+// --- PUT /api/agents/:id (validation & field preservation) ---
+
+test('PUT /api/agents/:id rejects a non-array tools value with a 400', async () => {
+  seedAgent('agent-tools-reject', { tools: ['memory', 'files', 'web_search'] })
+
+  const response = await putAgent(new Request('http://local/api/agents/agent-tools-reject', {
+    method: 'PUT',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify({ tools: 'not_an_array' }),
+  }), routeParams('agent-tools-reject'))
+
+  assert.equal(response.status, 400)
+  const body = await response.json()
+  assert.equal(body.error, 'Validation failed')
+  assert.ok(body.issues.some((i: { path: string }) => i.path === 'tools'))
+
+  const agentAfter = loadAgents()['agent-tools-reject']
+  assert.deepEqual(agentAfter.tools, ['memory', 'files', 'web_search'], 'stored tools must be untouched')
+})
+
+test('PUT /api/agents/:id does not clobber untouched fields with schema defaults', async () => {
+  // Seed with non-default values; PUT a body that omits those fields. The route
+  // must filter zod defaults so missing keys do NOT reset the stored values.
+  seedAgent('agent-partial-update', {
+    name: 'Original',
+    tools: ['memory'],
+    delegationEnabled: true,
+    delegationTargetMode: 'selected',
+    delegationTargetAgentIds: ['other-agent'],
+    heartbeatEnabled: false,
+    proactiveMemory: false,
+  })
+
+  const response = await putAgent(new Request('http://local/api/agents/agent-partial-update', {
+    method: 'PUT',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify({ description: 'edited' }),
+  }), routeParams('agent-partial-update'))
+
+  assert.equal(response.status, 200)
+  const body = await response.json()
+  assert.equal(body.description, 'edited')
+  assert.equal(body.name, 'Original')
+  assert.deepEqual(body.tools, ['memory'])
+  assert.equal(body.delegationEnabled, true)
+  assert.equal(body.delegationTargetMode, 'selected')
+  assert.equal(body.heartbeatEnabled, false)
+  assert.equal(body.proactiveMemory, false)
+})
+
+test('PUT /api/agents/:id rejects non-string name', async () => {
+  seedAgent('agent-bad-name', { name: 'Good' })
+
+  const response = await putAgent(new Request('http://local/api/agents/agent-bad-name', {
+    method: 'PUT',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify({ name: 12345 }),
+  }), routeParams('agent-bad-name'))
+
+  assert.equal(response.status, 400)
+  const agentAfter = loadAgents()['agent-bad-name']
+  assert.equal(agentAfter.name, 'Good')
+})

package/src/app/api/chatrooms/[id]/chat/route.ts

@@ -25,7 +25,7 @@ import {
   selectChatroomRecipients,
 } from '@/lib/server/chatrooms/chatroom-routing'
 import { markProviderFailure, markProviderSuccess } from '@/lib/server/provider-health'
-import { applyAgentReactionsFromText } from '@/lib/server/chatrooms/chatroom-agent-signals'
+import { applyAgentReactionsFromText, stripAgentReactionTokens } from '@/lib/server/chatrooms/chatroom-agent-signals'
 import { resolvePrimaryAgentRoute } from '@/lib/server/agents/agent-runtime-config'
 import { shouldSuppressHiddenControlText, stripHiddenControlTokens } from '@/lib/server/agents/assistant-control'
 import type { Chatroom, ChatroomMessage, Agent } from '@/types'
@@ -46,7 +46,9 @@ export async function POST(req: Request, { params }: { params: Promise<{ id: str
   const chatroom = chatrooms[id] as Chatroom | undefined
   if (!chatroom) return notFound()
 
-  const text = typeof body.text === 'string' ? body.text : ''
+  const text = typeof body.text === 'string'
+    ? body.text
+    : (typeof body.message === 'string' ? body.message : '')
   const senderId = typeof body.senderId === 'string' ? body.senderId : 'user'
   const imagePath = typeof body.imagePath === 'string' ? body.imagePath : undefined
   const attachedFiles = Array.isArray(body.attachedFiles)
@@ -260,7 +262,7 @@ export async function POST(req: Request, { params }: { params: Promise<{ id: str
             })
 
             const rawResponseText = result.finalResponse || result.fullText || fullText
-            const responseText = stripHiddenControlTokens(rawResponseText)
+            const responseText = stripAgentReactionTokens(stripHiddenControlTokens(rawResponseText))
 
             // Don't persist empty or error-only messages — they pollute chat history
             if (!responseText.trim() && agentError) {

package/src/app/api/chatrooms/route.ts

@@ -41,6 +41,9 @@ export async function GET(req: Request) {
 export async function POST(req: Request) {
   const { data: raw, error } = await safeParseBody<Record<string, unknown>>(req)
   if (error) return error
+  if (raw && Array.isArray(raw.memberAgentIds) && !Array.isArray(raw.agentIds)) {
+    raw.agentIds = raw.memberAgentIds
+  }
   const parsed = ChatroomCreateSchema.safeParse(raw)
   if (!parsed.success) {
     return NextResponse.json(formatZodError(parsed.error as z.ZodError), { status: 400 })

package/src/app/api/missions/[id]/control/route.ts

@@ -11,6 +11,9 @@ import {
   pauseMission,
   startMission,
 } from '@/lib/server/missions/mission-service'
+import { enqueueSessionRun } from '@/lib/server/runtime/session-run-manager'
+import { loadSessions } from '@/lib/server/storage'
+import { log } from '@/lib/server/logger'
 
 export const dynamic = 'force-dynamic'
 
@@ -31,7 +34,25 @@ export async function POST(req: Request, { params }: { params: Promise<{ id: str
   switch (parsed.data.action) {
     case 'start':
     case 'resume': {
+      const wasDraft = mission.status === 'draft'
       const updated = startMission(id)
+      if (updated && wasDraft && updated.rootSessionId && updated.goal) {
+        const sessions = loadSessions()
+        if (sessions[updated.rootSessionId]) {
+          try {
+            enqueueSessionRun({
+              sessionId: updated.rootSessionId,
+              message: `Mission goal: ${updated.goal}`,
+              missionId: updated.id,
+              source: 'mission',
+              internal: true,
+              dedupeKey: `mission:${updated.id}:kickoff`,
+            })
+          } catch (kickErr) {
+            log.warn('api-mission-control', `Mission kickoff enqueue failed for ${updated.id}`, kickErr)
+          }
+        }
+      }
       return NextResponse.json(updated)
     }
     case 'pause': {

package/src/app/api/missions/templates/[id]/instantiate/route.ts

@@ -0,0 +1,64 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import { safeParseBody } from '@/lib/server/safe-parse-body'
+import { formatZodError } from '@/lib/validation/schemas'
+import { notFound } from '@/lib/server/collection-helpers'
+import { createMissionFromTemplate } from '@/lib/server/missions/mission-service'
+import { patchSession } from '@/lib/server/sessions/session-repository'
+
+export const dynamic = 'force-dynamic'
+
+const BudgetOverrideSchema = z.object({
+  maxUsd: z.number().positive().nullable().optional(),
+  maxTokens: z.number().positive().int().nullable().optional(),
+  maxToolCalls: z.number().positive().int().nullable().optional(),
+  maxWallclockSec: z.number().positive().int().nullable().optional(),
+  maxTurns: z.number().positive().int().nullable().optional(),
+  warnAtFractions: z.array(z.number().positive().lt(1)).max(10).optional(),
+}).partial()
+
+const ReportScheduleSchema = z.object({
+  intervalSec: z.number().int().min(30),
+  format: z.enum(['markdown', 'slack', 'discord', 'email', 'audio']),
+  enabled: z.boolean().default(true),
+  lastReportAt: z.number().nullable().optional(),
+}).strict()
+
+const InstantiateSchema = z.object({
+  rootSessionId: z.string().min(1, 'rootSessionId is required'),
+  overrides: z.object({
+    title: z.string().min(1).max(200).optional(),
+    goal: z.string().min(1).max(4000).optional(),
+    successCriteria: z.array(z.string().min(1)).max(32).optional(),
+    budget: BudgetOverrideSchema.optional(),
+    reportSchedule: ReportScheduleSchema.nullable().optional(),
+    agentIds: z.array(z.string().min(1)).max(32).optional(),
+    reportConnectorIds: z.array(z.string().min(1)).max(8).optional(),
+  }).optional(),
+}).strict()
+
+export async function POST(req: Request, { params }: { params: Promise<{ id: string }> }) {
+  const { id } = await params
+  const { data: body, error } = await safeParseBody<Record<string, unknown>>(req)
+  if (error) return error
+  const parsed = InstantiateSchema.safeParse(body)
+  if (!parsed.success) return NextResponse.json(formatZodError(parsed.error), { status: 400 })
+
+  const result = createMissionFromTemplate({
+    templateId: id,
+    rootSessionId: parsed.data.rootSessionId,
+    overrides: parsed.data.overrides,
+  })
+  if (!result) return notFound()
+
+  try {
+    patchSession(result.mission.rootSessionId, (current) => {
+      if (!current) return null
+      return { ...current, missionId: result.mission.id }
+    })
+  } catch {
+    // Session may not exist yet; budget hook falls back to service map.
+  }
+
+  return NextResponse.json({ mission: result.mission, template: result.template })
+}

package/src/app/api/missions/templates/route.ts

@@ -0,0 +1,8 @@
+import { NextResponse } from 'next/server'
+import { listMissionTemplates } from '@/lib/server/missions/mission-templates'
+
+export const dynamic = 'force-dynamic'
+
+export async function GET() {
+  return NextResponse.json(listMissionTemplates())
+}

package/src/app/api/tasks/[id]/route.ts

@@ -7,6 +7,7 @@ import {
   prepareTasksForListing,
   updateTaskFromRoute,
 } from '@/lib/server/tasks/task-route-service'
+import { TaskUpdateSchema, formatZodError } from '@/lib/validation/schemas'
 
 export async function GET(_req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
@@ -17,8 +18,17 @@ export async function GET(_req: Request, { params }: { params: Promise<{ id: str
 
 export async function PUT(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const { data: body, error } = await safeParseBody<Record<string, unknown>>(req)
+  const { data: raw, error } = await safeParseBody<Record<string, unknown>>(req)
   if (error) return error
+  const parsed = TaskUpdateSchema.safeParse(raw)
+  if (!parsed.success) return NextResponse.json(formatZodError(parsed.error), { status: 400 })
+
+  const rawKeys = new Set(Object.keys(raw ?? {}))
+  const body: Record<string, unknown> = {}
+  for (const [key, value] of Object.entries(parsed.data)) {
+    if (rawKeys.has(key)) body[key] = value
+  }
+
   const result = updateTaskFromRoute(id, body)
   if (!result.ok && result.status === 404) return notFound()
   return result.ok

package/src/app/api/tasks/tasks-route.test.ts

@@ -0,0 +1,81 @@
+import assert from 'node:assert/strict'
+import test, { afterEach } from 'node:test'
+
+process.env.SWARMCLAW_DAEMON_AUTOSTART = '0'
+
+import { PUT as putTask } from './[id]/route'
+import { loadTasks, saveTasks } from '@/lib/server/storage'
+import type { BoardTask } from '@/types'
+
+const originalTasks = loadTasks()
+
+function routeParams(id: string) {
+  return { params: Promise.resolve({ id }) }
+}
+
+function seedTask(id: string, overrides: Partial<BoardTask> = {}) {
+  const tasks = loadTasks()
+  const now = Date.now()
+  tasks[id] = {
+    id,
+    title: 'Seed Task',
+    description: '',
+    status: 'backlog',
+    createdAt: now,
+    updatedAt: now,
+    ...overrides,
+  } as BoardTask
+  saveTasks(tasks)
+}
+
+afterEach(() => {
+  saveTasks(originalTasks)
+})
+
+test('PUT /api/tasks/:id rejects a non-string title with a 400', async () => {
+  seedTask('task-bad-title', { title: 'Original' })
+
+  const response = await putTask(new Request('http://local/api/tasks/task-bad-title', {
+    method: 'PUT',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify({ title: 42 }),
+  }), routeParams('task-bad-title'))
+
+  assert.equal(response.status, 400)
+  const stored = loadTasks()['task-bad-title']
+  assert.equal(stored.title, 'Original', 'stored title must be unchanged')
+})
+
+test('PUT /api/tasks/:id partial update does not clobber untouched fields', async () => {
+  seedTask('task-partial', {
+    title: 'Keep me',
+    description: 'Keep me too',
+    status: 'queued',
+  })
+
+  const response = await putTask(new Request('http://local/api/tasks/task-partial', {
+    method: 'PUT',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify({ description: 'updated' }),
+  }), routeParams('task-partial'))
+
+  assert.equal(response.status, 200)
+  const body = await response.json()
+  assert.equal(body.title, 'Keep me')
+  assert.equal(body.description, 'updated')
+  assert.equal(body.status, 'queued')
+})
+
+test('PUT /api/tasks/:id rejects a non-array blockedBy with a 400', async () => {
+  seedTask('task-bad-blocked', { title: 'T', blockedBy: ['dep-1'] })
+
+  const response = await putTask(new Request('http://local/api/tasks/task-bad-blocked', {
+    method: 'PUT',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify({ blockedBy: 'not_an_array' }),
+  }), routeParams('task-bad-blocked'))
+
+  assert.equal(response.status, 400)
+  const stored = loadTasks()['task-bad-blocked']
+  assert.deepEqual(stored.blockedBy, ['dep-1'], 'stored blockedBy must be unchanged')
+})

package/src/app/api/webhooks/[id]/route.ts

@@ -1,19 +1,12 @@
 import { NextResponse } from 'next/server'
 import { loadWebhooks, saveWebhooks } from '@/lib/server/storage'
 import { mutateItem, deleteItem, notFound, type CollectionOps } from '@/lib/server/collection-helpers'
+import { WebhookUpdateSchema, formatZodError } from '@/lib/validation/schemas'
 import { handleWebhookPost } from './helpers'
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 const ops: CollectionOps<any> = { load: loadWebhooks, save: saveWebhooks }
 
-function normalizeEvents(value: unknown): string[] {
-  if (!Array.isArray(value)) return []
-  return value
-    .filter((v): v is string => typeof v === 'string')
-    .map((v) => v.trim())
-    .filter(Boolean)
-}
-
 export async function GET(_req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
   const webhooks = loadWebhooks()
@@ -24,14 +17,24 @@ export async function GET(_req: Request, { params }: { params: Promise<{ id: str
 
 export async function PUT(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const body = await req.json().catch(() => ({}))
+  const raw = await req.json().catch(() => null)
+  if (!raw || typeof raw !== 'object' || Array.isArray(raw)) {
+    return NextResponse.json({ error: 'Invalid or missing request body' }, { status: 400 })
+  }
+  const parsed = WebhookUpdateSchema.safeParse(raw)
+  if (!parsed.success) return NextResponse.json(formatZodError(parsed.error), { status: 400 })
+
+  const rawKeys = new Set(Object.keys(raw))
+  const body = parsed.data
   const result = mutateItem(ops, id, (webhook) => {
-    if (body.name !== undefined) webhook.name = body.name
-    if (body.source !== undefined) webhook.source = body.source
-    if (body.events !== undefined) webhook.events = normalizeEvents(body.events)
-    if (body.agentId !== undefined) webhook.agentId = body.agentId
-    if (body.secret !== undefined) webhook.secret = body.secret
-    if (body.isEnabled !== undefined) webhook.isEnabled = !!body.isEnabled
+    if (rawKeys.has('name') && body.name !== undefined) webhook.name = body.name
+    if (rawKeys.has('source') && body.source !== undefined) webhook.source = body.source
+    if (rawKeys.has('events') && body.events !== undefined) {
+      webhook.events = body.events.map((e) => e.trim()).filter(Boolean)
+    }
+    if (rawKeys.has('agentId') && body.agentId !== undefined) webhook.agentId = body.agentId
+    if (rawKeys.has('secret') && body.secret !== undefined) webhook.secret = body.secret
+    if (rawKeys.has('isEnabled') && body.isEnabled !== undefined) webhook.isEnabled = body.isEnabled
     webhook.updatedAt = Date.now()
     return webhook
   })