@swarmclawai/swarmclaw 1.5.54 → 1.5.56

package/README.md

@@ -399,6 +399,21 @@ Operational docs: https://swarmclaw.ai/docs/observability
 
 ## Releases
 
+### v1.5.56 Highlights
+
+- **Fix: TTS error responses are now proper JSON instead of a raw Buffer blob.** `POST /api/tts` and `POST /api/tts/stream` previously returned `500` with the error message wrapped in a `new NextResponse(string, ...)` that the CLI JSON-decoded into `{"type":"Buffer","data":[78,111,...]}`. Both routes now return `NextResponse.json({error}, {status: 500})`. Regression test added.
+- **Zod-validated PUT/PATCH endpoints — hardening sweep.** Extends the v1.5.55 work (agents, tasks, webhooks) to close the same silent-corruption bug class on the remaining vulnerable routes: `PUT /api/secrets/:id`, `POST /api/secrets`, `PATCH /api/goals/:id`, `PUT /api/providers/:id`, `PUT /api/documents/:id`, `PUT /api/external-agents/:id`, and `PUT /api/chatrooms/:id`. Each route validates against a dedicated schema (`SecretUpdateSchema`, `SecretCreateSchema`, `GoalUpdateSchema`, `ProviderUpdateSchema`, `DocumentUpdateSchema`, `ExternalAgentUpdateSchema`, `ChatroomUpdateSchema`) in `src/lib/validation/schemas.ts`, then filters parsed data to the keys actually present in the raw body so Zod defaults can't overwrite untouched stored fields. Endpoints already doing per-field `typeof` guards (knowledge, gateways, projects) were left as-is.
+
+### v1.5.55 Highlights
+
+- **Fix: mission budget updates with decimal values no longer silently fail with a 400.** The mission UI's `numOrNull` parsed user input with `Number.parseFloat`, but the API requires `int()` for `maxTokens`, `maxToolCalls`, `maxWallclockSec`, and `maxTurns`. Typing `1000.5` returned a cryptic Zod error to the toast and the update was lost. Added `intOrNull` (rounds) in `mission-edit-sheet.tsx`, `mission-template-install-dialog.tsx`, and `app/missions/page.tsx`. `maxUsd` still accepts decimals.
+- **Fix: mission edit sheet's connectors dropdown was always empty.** The sheet fetched `/connectors` expecting a `Connector[]`, but the endpoint returns `Record<string, Connector>`. The defensive `Array.isArray` fallback quietly rendered an empty list, so users could not attach report connectors when editing a running mission. Now typed as `Record<string, Connector>` and projected with `Object.values`.
+- **Fix: memory search returns results for short (3-4 char) words like `cats`, `blue`, `dog`.** `buildFtsQuery` had a `unique[0].length >= 5` guard that returned an empty FTS query for any single-token search shorter than 5 chars, silently dropping valid searches. The upstream filter already requires ≥3 chars, so the extra guard just excluded useful queries. Removed; regression tests cover `cats`, `blue`, and `dog`.
+- **Fix: `PUT /api/agents/:id` now validates its body with a Zod schema.** Previously the route did `{...current, ...body}` without validation, so sending `{"tools": "not_an_array"}` silently wiped the agent's tool list to `[]`. Added `AgentUpdateSchema = AgentCreateSchema.partial()` and a filter step that keeps only keys present in the raw body (so Zod defaults do not overwrite untouched fields). Bad types now return a 400 with field-level errors. `updateAgent()` keeps a `current.tools` / `current.extensions` fallback as defense-in-depth for internal callers.
+- **Fix: `PUT /api/tasks/:id` now validates its body with a Zod schema.** Same class of bug: a numeric `title` silently corrupted the stored field. Added `TaskUpdateSchema = TaskCreateSchema.partial().extend({...})` with the update-only fields (`appendComment`, `result`, `error`, lifecycle timestamps) and the same raw-key filter pattern. Bad types now 400 with untouched storage.
+- **Fix: `PUT /api/webhooks/:id` now validates its body with a Zod schema.** Previously `{"events": "not_an_array"}` wiped the events list. Added `WebhookUpdateSchema` and explicit `rawKeys.has(...)` guards in the mutate closure so only fields actually present in the body are applied.
+- **Fix: classifier JSON no longer leaks into assistant responses.** Some Ollama / Ollama Cloud turns were emitting the internal `MessageClassification` object directly into the stream (e.g. `{"taskIntent":"research",...}` prepended to the real reply). The existing stripper only matched when `isDeliverableTask` was the first key, so leaks starting with `taskIntent` sailed through to the user. Replaced the regex with a principled detector that brace-matches candidate JSON (string-quote aware) and validates against `MessageClassificationSchema.safeParse` — the schema itself is the source of truth, so future schema changes can't break detection.
+
 ### v1.5.54 Highlights
 
 - **Mission templates library**: the `/missions` page now opens with a curated gallery of starter missions. Each template pre-wires a goal, success criteria, USD / token / turn / wallclock budgets, and a report cadence, so non-technical users can install a working autonomous run in one click. Initial lineup: Daily News Digest, Inbox Triage, Competitor Watch, Weekly Research Report, Social Listener, and Customer Support Triage. Setup notes flag any connector or permission prerequisites before installation. Power-user overrides (budget caps, success criteria, report cadence) live behind a collapsed **Advanced Settings** panel so the default install flow stays one click.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@swarmclawai/swarmclaw",
-  "version": "1.5.54",
+  "version": "1.5.56",
   "description": "Build and run autonomous AI agents with OpenClaw, Hermes, multiple model providers, orchestration, delegation, memory, skills, schedules, and chat connectors.",
   "main": "electron-dist/main.js",
   "license": "MIT",
@@ -80,7 +80,7 @@
     "test:cli": "node --test src/cli/*.test.js bin/*.test.js scripts/postinstall.test.mjs scripts/run-next-build.test.mjs scripts/run-next-typegen.test.mjs",
     "test:setup": "tsx --test src/app/api/setup/check-provider/route.test.ts src/lib/server/provider-model-discovery.test.ts src/components/auth/setup-wizard/utils.test.ts src/components/auth/setup-wizard/types.test.ts src/hooks/setup-done-detection.test.ts src/lib/setup-defaults.test.ts src/lib/server/storage-auth.test.ts src/lib/server/storage-auth-docker.test.ts",
     "test:openclaw": "tsx --test src/lib/openclaw/openclaw-agent-id.test.ts src/lib/openclaw/openclaw-endpoint.test.ts src/lib/server/agents/agent-runtime-config.test.ts src/lib/server/build-llm.test.ts src/lib/server/connectors/connector-routing.test.ts src/lib/server/connectors/openclaw.test.ts src/lib/server/connectors/swarmdock.test.ts src/lib/server/gateway/protocol.test.ts src/lib/server/llm-response-cache.test.ts src/lib/server/mcp-conformance.test.ts src/lib/server/openclaw/agent-resolver.test.ts src/lib/server/openclaw/deploy.test.ts src/lib/server/openclaw/skills-normalize.test.ts src/lib/server/session-tools/openclaw-nodes.test.ts src/lib/server/session-tools/swarmdock.test.ts src/lib/server/tasks/task-quality-gate.test.ts src/lib/server/tasks/task-validation.test.ts src/lib/server/tool-capability-policy.test.ts src/lib/providers/openclaw-exports.test.ts src/app/api/openclaw/dashboard-url/route.test.ts",
-    "test:runtime": "tsx --test src/lib/server/knowledge-sources.test.ts src/lib/server/chat-execution/chat-execution-grounding.test.ts src/lib/server/chat-execution/iteration-timers.test.ts src/lib/server/protocols/protocol-service.test.ts src/lib/server/runtime/run-ledger.test.ts src/lib/server/observability/otel-config.test.ts src/lib/server/safe-parse-body.test.ts src/app/api/approvals/route.test.ts src/app/api/agents/agents-route.test.ts src/app/api/chats/chat-route.test.ts src/app/api/connectors/connector-doctor-route.test.ts src/app/api/healthz/route.test.ts src/app/api/logs/route.test.ts src/app/api/tts/route.test.ts",
+    "test:runtime": "tsx --test src/lib/server/knowledge-sources.test.ts src/lib/server/chat-execution/chat-execution-grounding.test.ts src/lib/server/chat-execution/chat-turn-preparation.test.ts src/lib/server/chat-execution/iteration-timers.test.ts src/lib/server/chat-execution/post-stream-finalization.test.ts src/lib/server/connectors/email.test.ts src/lib/server/protocols/protocol-service.test.ts src/lib/server/runtime/run-ledger.test.ts src/lib/server/observability/otel-config.test.ts src/lib/server/safe-parse-body.test.ts src/app/api/approvals/route.test.ts src/app/api/agents/agents-route.test.ts src/app/api/tasks/tasks-route.test.ts src/app/api/chats/chat-route.test.ts src/app/api/connectors/connector-doctor-route.test.ts src/app/api/healthz/route.test.ts src/app/api/logs/route.test.ts src/app/api/tts/route.test.ts",
     "test:builder": "tsx --test src/features/protocols/builder/utils/nodes-to-template.test.ts src/features/protocols/builder/utils/template-to-nodes.test.ts src/features/protocols/builder/validators/dag-validator.test.ts",
     "test:e2e": "tsx .workbench/browser-e2e/run.ts",
     "test:mcp:conformance": "node --import tsx ./scripts/mcp-conformance-check.ts",

package/src/app/api/agents/[id]/route.ts

@@ -4,6 +4,7 @@ import { trashAgent, updateAgent } from '@/lib/server/agents/agent-service'
 import { loadAgent } from '@/lib/server/agents/agent-repository'
 import { notify } from '@/lib/server/ws-hub'
 import { safeParseBody } from '@/lib/server/safe-parse-body'
+import { AgentUpdateSchema, formatZodError } from '@/lib/validation/schemas'
 
 export async function GET(_req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
@@ -14,9 +15,20 @@ export async function GET(_req: Request, { params }: { params: Promise<{ id: str
 
 export async function PUT(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const { data: body, error } = await safeParseBody(req)
+  const { data: raw, error } = await safeParseBody<Record<string, unknown>>(req)
   if (error) return error
-  const result = updateAgent(id, body as Record<string, unknown>)
+  const parsed = AgentUpdateSchema.safeParse(raw)
+  if (!parsed.success) return NextResponse.json(formatZodError(parsed.error), { status: 400 })
+
+  // Filter to keys actually present in the raw body — zod re-applies `.default(...)`
+  // to absent fields, which would clobber untouched fields on the stored agent.
+  const rawKeys = new Set(Object.keys(raw ?? {}))
+  const body: Record<string, unknown> = {}
+  for (const [key, value] of Object.entries(parsed.data)) {
+    if (rawKeys.has(key)) body[key] = value
+  }
+
+  const result = updateAgent(id, body)
   if (!result) return notFound()
   return NextResponse.json(result)
 }

package/src/app/api/agents/agents-route.test.ts

@@ -4,7 +4,7 @@ import test, { afterEach } from 'node:test'
 // Disable daemon autostart during tests
 process.env.SWARMCLAW_DAEMON_AUTOSTART = '0'
 
-import { GET as getAgent } from './[id]/route'
+import { GET as getAgent, PUT as putAgent } from './[id]/route'
 import { POST as createAgent } from './route'
 import { loadAgents, saveAgents } from '@/lib/server/storage'
 
@@ -112,3 +112,67 @@ test('POST /api/agents rejects missing required fields with a 400', async () =>
   const body = await response.json()
   assert.equal(body.error, 'Validation failed')
 })
+
+// --- PUT /api/agents/:id (validation & field preservation) ---
+
+test('PUT /api/agents/:id rejects a non-array tools value with a 400', async () => {
+  seedAgent('agent-tools-reject', { tools: ['memory', 'files', 'web_search'] })
+
+  const response = await putAgent(new Request('http://local/api/agents/agent-tools-reject', {
+    method: 'PUT',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify({ tools: 'not_an_array' }),
+  }), routeParams('agent-tools-reject'))
+
+  assert.equal(response.status, 400)
+  const body = await response.json()
+  assert.equal(body.error, 'Validation failed')
+  assert.ok(body.issues.some((i: { path: string }) => i.path === 'tools'))
+
+  const agentAfter = loadAgents()['agent-tools-reject']
+  assert.deepEqual(agentAfter.tools, ['memory', 'files', 'web_search'], 'stored tools must be untouched')
+})
+
+test('PUT /api/agents/:id does not clobber untouched fields with schema defaults', async () => {
+  // Seed with non-default values; PUT a body that omits those fields. The route
+  // must filter zod defaults so missing keys do NOT reset the stored values.
+  seedAgent('agent-partial-update', {
+    name: 'Original',
+    tools: ['memory'],
+    delegationEnabled: true,
+    delegationTargetMode: 'selected',
+    delegationTargetAgentIds: ['other-agent'],
+    heartbeatEnabled: false,
+    proactiveMemory: false,
+  })
+
+  const response = await putAgent(new Request('http://local/api/agents/agent-partial-update', {
+    method: 'PUT',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify({ description: 'edited' }),
+  }), routeParams('agent-partial-update'))
+
+  assert.equal(response.status, 200)
+  const body = await response.json()
+  assert.equal(body.description, 'edited')
+  assert.equal(body.name, 'Original')
+  assert.deepEqual(body.tools, ['memory'])
+  assert.equal(body.delegationEnabled, true)
+  assert.equal(body.delegationTargetMode, 'selected')
+  assert.equal(body.heartbeatEnabled, false)
+  assert.equal(body.proactiveMemory, false)
+})
+
+test('PUT /api/agents/:id rejects non-string name', async () => {
+  seedAgent('agent-bad-name', { name: 'Good' })
+
+  const response = await putAgent(new Request('http://local/api/agents/agent-bad-name', {
+    method: 'PUT',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify({ name: 12345 }),
+  }), routeParams('agent-bad-name'))
+
+  assert.equal(response.status, 400)
+  const agentAfter = loadAgents()['agent-bad-name']
+  assert.equal(agentAfter.name, 'Good')
+})

package/src/app/api/chatrooms/[id]/chat/route.ts

@@ -25,7 +25,7 @@ import {
   selectChatroomRecipients,
 } from '@/lib/server/chatrooms/chatroom-routing'
 import { markProviderFailure, markProviderSuccess } from '@/lib/server/provider-health'
-import { applyAgentReactionsFromText } from '@/lib/server/chatrooms/chatroom-agent-signals'
+import { applyAgentReactionsFromText, stripAgentReactionTokens } from '@/lib/server/chatrooms/chatroom-agent-signals'
 import { resolvePrimaryAgentRoute } from '@/lib/server/agents/agent-runtime-config'
 import { shouldSuppressHiddenControlText, stripHiddenControlTokens } from '@/lib/server/agents/assistant-control'
 import type { Chatroom, ChatroomMessage, Agent } from '@/types'
@@ -46,7 +46,9 @@ export async function POST(req: Request, { params }: { params: Promise<{ id: str
   const chatroom = chatrooms[id] as Chatroom | undefined
   if (!chatroom) return notFound()
 
-  const text = typeof body.text === 'string' ? body.text : ''
+  const text = typeof body.text === 'string'
+    ? body.text
+    : (typeof body.message === 'string' ? body.message : '')
   const senderId = typeof body.senderId === 'string' ? body.senderId : 'user'
   const imagePath = typeof body.imagePath === 'string' ? body.imagePath : undefined
   const attachedFiles = Array.isArray(body.attachedFiles)
@@ -260,7 +262,7 @@ export async function POST(req: Request, { params }: { params: Promise<{ id: str
             })
 
             const rawResponseText = result.finalResponse || result.fullText || fullText
-            const responseText = stripHiddenControlTokens(rawResponseText)
+            const responseText = stripAgentReactionTokens(stripHiddenControlTokens(rawResponseText))
 
             // Don't persist empty or error-only messages — they pollute chat history
             if (!responseText.trim() && agentError) {

package/src/app/api/chatrooms/[id]/route.ts

@@ -9,6 +9,7 @@ import {
   ensureChatroomRoutingGuidance,
   synthesizeRoutingGuidanceFromRules,
 } from '@/lib/server/chatrooms/chatroom-routing'
+import { ChatroomUpdateSchema, formatZodError } from '@/lib/validation/schemas'
 
 export async function GET(_req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
@@ -25,14 +26,23 @@ export async function GET(_req: Request, { params }: { params: Promise<{ id: str
 
 export async function PUT(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const { data: body, error } = await safeParseBody<Record<string, unknown>>(req)
+  const { data: raw, error } = await safeParseBody<Record<string, unknown>>(req)
   if (error) return error
+  const parsed = ChatroomUpdateSchema.safeParse(raw)
+  if (!parsed.success) return NextResponse.json(formatZodError(parsed.error), { status: 400 })
+
+  const rawKeys = new Set(Object.keys(raw ?? {}))
+  const body: Record<string, unknown> = {}
+  for (const [key, value] of Object.entries(parsed.data)) {
+    if (rawKeys.has(key)) body[key] = value
+  }
+
   const chatrooms = loadChatrooms()
   const chatroom = chatrooms[id]
   if (!chatroom) return notFound()
 
-  if (body.name !== undefined) chatroom.name = body.name
-  if (body.description !== undefined) chatroom.description = body.description
+  if (body.name !== undefined) chatroom.name = body.name as string
+  if (body.description !== undefined) chatroom.description = body.description as string
   if (body.chatMode !== undefined) {
     chatroom.chatMode = body.chatMode === 'parallel' ? 'parallel' : 'sequential'
   }

package/src/app/api/chatrooms/route.ts

@@ -41,6 +41,9 @@ export async function GET(req: Request) {
 export async function POST(req: Request) {
   const { data: raw, error } = await safeParseBody<Record<string, unknown>>(req)
   if (error) return error
+  if (raw && Array.isArray(raw.memberAgentIds) && !Array.isArray(raw.agentIds)) {
+    raw.agentIds = raw.memberAgentIds
+  }
   const parsed = ChatroomCreateSchema.safeParse(raw)
   if (!parsed.success) {
     return NextResponse.json(formatZodError(parsed.error as z.ZodError), { status: 400 })

package/src/app/api/documents/[id]/route.ts

@@ -1,11 +1,7 @@
 import { NextResponse } from 'next/server'
 import crypto from 'crypto'
 import { loadDocuments, saveDocuments, upsertDocumentRevision } from '@/lib/server/storage'
-
-function normalizeObject(value: unknown): Record<string, unknown> {
-  if (!value || typeof value !== 'object' || Array.isArray(value)) return {}
-  return value as Record<string, unknown>
-}
+import { DocumentUpdateSchema, formatZodError } from '@/lib/validation/schemas'
 
 export async function GET(_req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
@@ -17,13 +13,22 @@ export async function GET(_req: Request, { params }: { params: Promise<{ id: str
 
 export async function PUT(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const body = await req.json().catch(() => ({}))
+  const raw = await req.json().catch(() => null)
+  if (!raw || typeof raw !== 'object' || Array.isArray(raw)) {
+    return NextResponse.json({ error: 'Invalid or missing request body' }, { status: 400 })
+  }
+  const parsed = DocumentUpdateSchema.safeParse(raw)
+  if (!parsed.success) return NextResponse.json(formatZodError(parsed.error), { status: 400 })
+
+  const rawKeys = new Set(Object.keys(raw))
+  const body = parsed.data
+
   const docs = loadDocuments()
   const doc = docs[id]
   if (!doc) return NextResponse.json({ error: 'Document not found' }, { status: 404 })
 
   // Snapshot previous content as a revision before updating
-  if (body.content !== undefined && body.content !== doc.content) {
+  if (rawKeys.has('content') && body.content !== undefined && body.content !== doc.content) {
     const prevVersion = typeof doc.currentVersion === 'number' ? doc.currentVersion : 0
     const revisionId = crypto.randomBytes(8).toString('hex')
     upsertDocumentRevision(revisionId, {
@@ -32,18 +37,18 @@ export async function PUT(req: Request, { params }: { params: Promise<{ id: stri
       version: prevVersion,
       content: doc.content,
       createdAt: Date.now(),
-      createdBy: typeof body.createdBy === 'string' ? body.createdBy : null,
+      createdBy: body.createdBy ?? null,
     })
     doc.currentVersion = prevVersion + 1
   }
 
-  if (body.title !== undefined) doc.title = body.title
-  if (body.fileName !== undefined) doc.fileName = body.fileName
-  if (body.sourcePath !== undefined) doc.sourcePath = body.sourcePath
-  if (body.content !== undefined) doc.content = body.content
-  if (body.method !== undefined) doc.method = body.method
-  if (body.metadata !== undefined) doc.metadata = normalizeObject(body.metadata)
-  doc.textLength = typeof body.textLength === 'number'
+  if (rawKeys.has('title') && body.title !== undefined) doc.title = body.title
+  if (rawKeys.has('fileName')) doc.fileName = body.fileName ?? null
+  if (rawKeys.has('sourcePath')) doc.sourcePath = body.sourcePath ?? null
+  if (rawKeys.has('content') && body.content !== undefined) doc.content = body.content
+  if (rawKeys.has('method') && body.method !== undefined) doc.method = body.method
+  if (rawKeys.has('metadata') && body.metadata !== undefined) doc.metadata = body.metadata
+  doc.textLength = rawKeys.has('textLength') && body.textLength !== undefined
     ? body.textLength
     : String(doc.content || '').length
   doc.updatedAt = Date.now()

package/src/app/api/external-agents/[id]/route.ts

@@ -2,6 +2,7 @@ import { NextResponse } from 'next/server'
 import { loadExternalAgents, saveExternalAgents } from '@/lib/server/storage'
 import { mutateItem, notFound, type CollectionOps } from '@/lib/server/collection-helpers'
 import { notify } from '@/lib/server/ws-hub'
+import { ExternalAgentUpdateSchema, formatZodError } from '@/lib/validation/schemas'
 export const dynamic = 'force-dynamic'
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -9,12 +10,24 @@ const ops: CollectionOps<any> = { load: loadExternalAgents, save: saveExternalAg
 
 export async function PUT(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const body = await req.json().catch(() => ({}))
+  const raw = await req.json().catch(() => null)
+  if (!raw || typeof raw !== 'object' || Array.isArray(raw)) {
+    return NextResponse.json({ error: 'Invalid or missing request body' }, { status: 400 })
+  }
+  const parsed = ExternalAgentUpdateSchema.safeParse(raw)
+  if (!parsed.success) return NextResponse.json(formatZodError(parsed.error), { status: 400 })
+
+  const rawKeys = new Set(Object.keys(raw))
+  const body: Record<string, unknown> = {}
+  for (const [key, value] of Object.entries(parsed.data)) {
+    if (rawKeys.has(key)) body[key] = value
+  }
+
   const now = Date.now()
   const result = mutateItem(ops, id, (runtime) => {
     const action = typeof body.action === 'string' ? body.action : ''
     const nextMetadata = body.metadata && typeof body.metadata === 'object'
-      ? { ...(runtime.metadata || {}), ...body.metadata }
+      ? { ...(runtime.metadata || {}), ...(body.metadata as Record<string, unknown>) }
       : runtime.metadata
 
     const next = {

package/src/app/api/goals/[id]/route.ts

@@ -2,6 +2,7 @@ import { NextResponse } from 'next/server'
 import { safeParseBody } from '@/lib/server/safe-parse-body'
 import { getGoalById, updateGoal, deleteGoal, getGoalChain } from '@/lib/server/goals/goal-service'
 import { notFound } from '@/lib/server/collection-helpers'
+import { GoalUpdateSchema, formatZodError } from '@/lib/validation/schemas'
 export const dynamic = 'force-dynamic'
 
 export async function GET(_req: Request, { params }: { params: Promise<{ id: string }> }) {
@@ -14,9 +15,18 @@ export async function GET(_req: Request, { params }: { params: Promise<{ id: str
 
 export async function PATCH(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const { data: body, error } = await safeParseBody<Record<string, unknown>>(req)
+  const { data: raw, error } = await safeParseBody<Record<string, unknown>>(req)
   if (error) return error
-  const updated = updateGoal(id, body)
+  const parsed = GoalUpdateSchema.safeParse(raw)
+  if (!parsed.success) return NextResponse.json(formatZodError(parsed.error), { status: 400 })
+
+  const rawKeys = new Set(Object.keys(raw ?? {}))
+  const patch: Record<string, unknown> = {}
+  for (const [key, value] of Object.entries(parsed.data)) {
+    if (rawKeys.has(key)) patch[key] = value
+  }
+
+  const updated = updateGoal(id, patch)
   if (!updated) return notFound()
   return NextResponse.json(updated)
 }

package/src/app/api/missions/[id]/control/route.ts

@@ -11,6 +11,9 @@ import {
   pauseMission,
   startMission,
 } from '@/lib/server/missions/mission-service'
+import { enqueueSessionRun } from '@/lib/server/runtime/session-run-manager'
+import { loadSessions } from '@/lib/server/storage'
+import { log } from '@/lib/server/logger'
 
 export const dynamic = 'force-dynamic'
 
@@ -31,7 +34,25 @@ export async function POST(req: Request, { params }: { params: Promise<{ id: str
   switch (parsed.data.action) {
     case 'start':
     case 'resume': {
+      const wasDraft = mission.status === 'draft'
       const updated = startMission(id)
+      if (updated && wasDraft && updated.rootSessionId && updated.goal) {
+        const sessions = loadSessions()
+        if (sessions[updated.rootSessionId]) {
+          try {
+            enqueueSessionRun({
+              sessionId: updated.rootSessionId,
+              message: `Mission goal: ${updated.goal}`,
+              missionId: updated.id,
+              source: 'mission',
+              internal: true,
+              dedupeKey: `mission:${updated.id}:kickoff`,
+            })
+          } catch (kickErr) {
+            log.warn('api-mission-control', `Mission kickoff enqueue failed for ${updated.id}`, kickErr)
+          }
+        }
+      }
       return NextResponse.json(updated)
     }
     case 'pause': {

package/src/app/api/providers/[id]/route.ts

@@ -4,6 +4,7 @@ import { loadProviderConfigs, saveProviderConfigs } from '@/lib/server/storage'
 import { mutateItem, deleteItem, notFound, badRequest, type CollectionOps } from '@/lib/server/collection-helpers'
 import { safeParseBody } from '@/lib/server/safe-parse-body'
 import { notify } from '@/lib/server/ws-hub'
+import { ProviderUpdateSchema, formatZodError } from '@/lib/validation/schemas'
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 const ops: CollectionOps<any> = { load: loadProviderConfigs, save: saveProviderConfigs, topic: 'providers' }
@@ -18,8 +19,17 @@ export async function GET(_req: Request, { params }: { params: Promise<{ id: str
 
 export async function PUT(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const { data: body, error } = await safeParseBody<Record<string, unknown>>(req)
+  const { data: raw, error } = await safeParseBody<Record<string, unknown>>(req)
   if (error) return error
+  const parsed = ProviderUpdateSchema.safeParse(raw)
+  if (!parsed.success) return NextResponse.json(formatZodError(parsed.error), { status: 400 })
+
+  const rawKeys = new Set(Object.keys(raw ?? {}))
+  const body: Record<string, unknown> = {}
+  for (const [key, value] of Object.entries(parsed.data)) {
+    if (rawKeys.has(key)) body[key] = value
+  }
+
   if (!ops.load()[id]) {
     const builtin = PROVIDERS[id]
     if (!builtin) return notFound()

package/src/app/api/secrets/[id]/route.ts

@@ -2,6 +2,7 @@ import { NextResponse } from 'next/server'
 import { loadSecrets, saveSecrets } from '@/lib/server/storage'
 import { mutateItem, deleteItem, notFound, type CollectionOps } from '@/lib/server/collection-helpers'
 import { safeParseBody } from '@/lib/server/safe-parse-body'
+import { SecretUpdateSchema, formatZodError } from '@/lib/validation/schemas'
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 const ops: CollectionOps<any> = { load: loadSecrets, save: saveSecrets }
@@ -25,14 +26,19 @@ export async function DELETE(_req: Request, { params }: { params: Promise<{ id:
 
 export async function PUT(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const { data: body, error } = await safeParseBody<Record<string, unknown>>(req)
+  const { data: raw, error } = await safeParseBody<Record<string, unknown>>(req)
   if (error) return error
+  const parsed = SecretUpdateSchema.safeParse(raw)
+  if (!parsed.success) return NextResponse.json(formatZodError(parsed.error), { status: 400 })
+  const rawKeys = new Set(Object.keys(raw ?? {}))
+  const body = parsed.data
+
   const result = mutateItem(ops, id, (secret) => {
-    if (body.name !== undefined) secret.name = body.name
-    if (body.service !== undefined) secret.service = body.service
-    if (body.scope !== undefined) secret.scope = body.scope
-    if (body.agentIds !== undefined) secret.agentIds = body.agentIds
-    if (body.projectId !== undefined) secret.projectId = body.projectId || undefined
+    if (rawKeys.has('name') && body.name !== undefined) secret.name = body.name
+    if (rawKeys.has('service') && body.service !== undefined) secret.service = body.service
+    if (rawKeys.has('scope') && body.scope !== undefined) secret.scope = body.scope
+    if (rawKeys.has('agentIds') && body.agentIds !== undefined) secret.agentIds = body.agentIds
+    if (rawKeys.has('projectId')) secret.projectId = body.projectId || undefined
     secret.updatedAt = Date.now()
     return secret
   })

package/src/app/api/secrets/route.ts

@@ -2,6 +2,7 @@ import { NextResponse } from 'next/server'
 import { genId } from '@/lib/id'
 import { loadSecrets, saveSecrets, encryptKey } from '@/lib/server/storage'
 import { safeParseBody } from '@/lib/server/safe-parse-body'
+import { SecretCreateSchema, formatZodError } from '@/lib/validation/schemas'
 export const dynamic = 'force-dynamic'
 
 
@@ -18,16 +19,20 @@ export async function GET(_req: Request) {
 }
 
 export async function POST(req: Request) {
-  const { data: body, error } = await safeParseBody<{ value?: string; name?: string; service?: string; scope?: string; agentIds?: string[]; projectId?: string }>(req)
+  const { data: raw, error } = await safeParseBody<Record<string, unknown>>(req)
   if (error) return error
-  const id = genId()
-  const now = Date.now()
-  const secrets = loadSecrets()
+  const parsed = SecretCreateSchema.safeParse(raw)
+  if (!parsed.success) return NextResponse.json(formatZodError(parsed.error), { status: 400 })
+  const body = parsed.data
 
-  if (!body.value?.trim()) {
+  if (!body.value.trim()) {
     return NextResponse.json({ error: 'value is required' }, { status: 400 })
   }
 
+  const id = genId()
+  const now = Date.now()
+  const secrets = loadSecrets()
+
   secrets[id] = {
     id,
     name: body.name || 'Unnamed Secret',

package/src/app/api/tasks/[id]/route.ts

@@ -7,6 +7,7 @@ import {
   prepareTasksForListing,
   updateTaskFromRoute,
 } from '@/lib/server/tasks/task-route-service'
+import { TaskUpdateSchema, formatZodError } from '@/lib/validation/schemas'
 
 export async function GET(_req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
@@ -17,8 +18,17 @@ export async function GET(_req: Request, { params }: { params: Promise<{ id: str
 
 export async function PUT(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const { data: body, error } = await safeParseBody<Record<string, unknown>>(req)
+  const { data: raw, error } = await safeParseBody<Record<string, unknown>>(req)
   if (error) return error
+  const parsed = TaskUpdateSchema.safeParse(raw)
+  if (!parsed.success) return NextResponse.json(formatZodError(parsed.error), { status: 400 })
+
+  const rawKeys = new Set(Object.keys(raw ?? {}))
+  const body: Record<string, unknown> = {}
+  for (const [key, value] of Object.entries(parsed.data)) {
+    if (rawKeys.has(key)) body[key] = value
+  }
+
   const result = updateTaskFromRoute(id, body)
   if (!result.ok && result.status === 404) return notFound()
   return result.ok

package/src/app/api/tasks/tasks-route.test.ts

@@ -0,0 +1,81 @@
+import assert from 'node:assert/strict'
+import test, { afterEach } from 'node:test'
+
+process.env.SWARMCLAW_DAEMON_AUTOSTART = '0'
+
+import { PUT as putTask } from './[id]/route'
+import { loadTasks, saveTasks } from '@/lib/server/storage'
+import type { BoardTask } from '@/types'
+
+const originalTasks = loadTasks()
+
+function routeParams(id: string) {
+  return { params: Promise.resolve({ id }) }
+}
+
+function seedTask(id: string, overrides: Partial<BoardTask> = {}) {
+  const tasks = loadTasks()
+  const now = Date.now()
+  tasks[id] = {
+    id,
+    title: 'Seed Task',
+    description: '',
+    status: 'backlog',
+    createdAt: now,
+    updatedAt: now,
+    ...overrides,
+  } as BoardTask
+  saveTasks(tasks)
+}
+
+afterEach(() => {
+  saveTasks(originalTasks)
+})
+
+test('PUT /api/tasks/:id rejects a non-string title with a 400', async () => {
+  seedTask('task-bad-title', { title: 'Original' })
+
+  const response = await putTask(new Request('http://local/api/tasks/task-bad-title', {
+    method: 'PUT',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify({ title: 42 }),
+  }), routeParams('task-bad-title'))
+
+  assert.equal(response.status, 400)
+  const stored = loadTasks()['task-bad-title']
+  assert.equal(stored.title, 'Original', 'stored title must be unchanged')
+})
+
+test('PUT /api/tasks/:id partial update does not clobber untouched fields', async () => {
+  seedTask('task-partial', {
+    title: 'Keep me',
+    description: 'Keep me too',
+    status: 'queued',
+  })
+
+  const response = await putTask(new Request('http://local/api/tasks/task-partial', {
+    method: 'PUT',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify({ description: 'updated' }),
+  }), routeParams('task-partial'))
+
+  assert.equal(response.status, 200)
+  const body = await response.json()
+  assert.equal(body.title, 'Keep me')
+  assert.equal(body.description, 'updated')
+  assert.equal(body.status, 'queued')
+})
+
+test('PUT /api/tasks/:id rejects a non-array blockedBy with a 400', async () => {
+  seedTask('task-bad-blocked', { title: 'T', blockedBy: ['dep-1'] })
+
+  const response = await putTask(new Request('http://local/api/tasks/task-bad-blocked', {
+    method: 'PUT',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify({ blockedBy: 'not_an_array' }),
+  }), routeParams('task-bad-blocked'))
+
+  assert.equal(response.status, 400)
+  const stored = loadTasks()['task-bad-blocked']
+  assert.deepEqual(stored.blockedBy, ['dep-1'], 'stored blockedBy must be unchanged')
+})