@swarmclawai/swarmclaw 1.5.55 → 1.5.57

package/README.md

@@ -399,6 +399,25 @@ Operational docs: https://swarmclaw.ai/docs/observability
 
 ## Releases
 
+### v1.5.57 Highlights
+
+This release closes the org-orchestration feature gap with Paperclip while keeping SwarmClaw's autonomous-assistant focus. Most additions are additive; nothing existing has changed shape.
+
+- **Workspace templates: full export/import bundle.** `src/lib/server/portability/{export,import}.ts` now round-trips agents, skills, schedules, **connectors** (with secret scrubbing), **chatrooms**, **MCP servers**, **projects**, **goals**, and an extension manifest reference. Manifest version bumped to `2`; v1 bundles still import. Connectors and MCP servers re-import with credentials stripped — the response payload now lists which records `needCredentials` so the UI can prompt. ID remapping handles cross-references (chatrooms → agents, schedules → agents, goals → projects/agents).
+- **Per-agent budget enforcement at enqueue.** New `src/lib/server/agents/agent-budget-hook.ts` mirrors the existing mission budget hook. When an agent has `budgetAction: 'block'` and any window (`hourlyBudget`/`dailyBudget`/`monthlyBudget`) is exhausted, autonomous enqueues now fail fast in `session-run-manager` instead of getting blocked deeper in the chat-turn pipeline. User-initiated chats still flow through (so users can talk to an agent that's hit its cap). Default `'warn'` behavior is unchanged.
+- **Goal hierarchy ancestry through Mission.** `Mission.goalId` is a new optional field. When a session has a `missionId` and the bound mission has a `goalId`, `main-agent-loop.ts` now walks `mission → goal → parentGoal → …` so the full Initiative/Project/Goal ancestry flows into the agent system prompt — previously only direct session-level goals were resolved.
+- **Billing codes / cost attribution.** `Mission`, `BoardTask`, `Session`, and `UsageRecord` accept an optional `billingCodes: string[]`. `resolveBillingCodesForSession` combines session + mission codes when usage is appended, and the new `GET /api/usage/by-code?codes=foo,bar&range=7d` endpoint rolls up cost per code (and per agent within each code). Lets users running multiple parallel projects answer "what did Project X cost?" across agents, missions, and ad-hoc chats.
+- **Customizable task workflow states.** New `WorkflowState` collection (`src/lib/server/tasks/workflow-state-repository.ts`) stores team-defined states like "Needs Review" or "Blocked on PM" that are orthogonal to `BoardTaskStatus` lifecycle. `BoardTask.workflowStateId` references one of seven defaults (Triage / Backlog / Todo / In Progress / Needs Review / Done / Cancelled) or any custom state. CRUD via `GET|POST|DELETE /api/task-workflow-states`. Atomic checkout via `task-checkout.ts` was already in place.
+- **Cross-agent delegation refusal policy.** `Chatroom.onRefusal` (`'reroute' | 'escalate' | 'human'`) and `Chatroom.escalationTargetAgentId` formalize what happens when a delegated agent declines work. `chatroom-refusal.ts` reroutes to another room member, escalates to a configured target, or surfaces a `human_loop` approval. Policy management at `POST /api/chatrooms/refusal-policy`; simulation at `PUT` for tests.
+- **Configuration version history.** Every `updateAgent` call now snapshots the prior agent state into `config-versions.json` (capped at 50 versions per entity). `GET /api/config-versions?entityKind=agent&entityId=...` lists history; `POST /api/config-versions/restore` rolls back. Foundation for extending to extensions, connectors, MCP servers, chatrooms, and projects.
+- **Multi-workspace scaffolding.** New `Workspace` registry with `GET|POST|PATCH|DELETE /api/workspaces` and `GET|POST /api/workspaces/active`. The default workspace seeds itself on first read; switching the active workspace persists to `workspace-registry.json`. **Note:** this is metadata only in v1.5.57 — actual data-dir forking per workspace is intentionally deferred (low-risk shipping).
+- **CLI manifest expanded.** New top-level groups: `workspaces`, `workflow-states`, `config-versions`, `cost-attribution`, `chatroom-policy`. Run `swarmclaw workspaces list`, `swarmclaw cost-attribution by-code --query codes=client-a,range=30d`, `swarmclaw config-versions list --query entityKind=agent,entityId=...`, etc. CLI route-coverage test passes.
+
+### v1.5.56 Highlights
+
+- **Fix: TTS error responses are now proper JSON instead of a raw Buffer blob.** `POST /api/tts` and `POST /api/tts/stream` previously returned `500` with the error message wrapped in a `new NextResponse(string, ...)` that the CLI JSON-decoded into `{"type":"Buffer","data":[78,111,...]}`. Both routes now return `NextResponse.json({error}, {status: 500})`. Regression test added.
+- **Zod-validated PUT/PATCH endpoints — hardening sweep.** Extends the v1.5.55 work (agents, tasks, webhooks) to close the same silent-corruption bug class on the remaining vulnerable routes: `PUT /api/secrets/:id`, `POST /api/secrets`, `PATCH /api/goals/:id`, `PUT /api/providers/:id`, `PUT /api/documents/:id`, `PUT /api/external-agents/:id`, and `PUT /api/chatrooms/:id`. Each route validates against a dedicated schema (`SecretUpdateSchema`, `SecretCreateSchema`, `GoalUpdateSchema`, `ProviderUpdateSchema`, `DocumentUpdateSchema`, `ExternalAgentUpdateSchema`, `ChatroomUpdateSchema`) in `src/lib/validation/schemas.ts`, then filters parsed data to the keys actually present in the raw body so Zod defaults can't overwrite untouched stored fields. Endpoints already doing per-field `typeof` guards (knowledge, gateways, projects) were left as-is.
+
 ### v1.5.55 Highlights
 
 - **Fix: mission budget updates with decimal values no longer silently fail with a 400.** The mission UI's `numOrNull` parsed user input with `Number.parseFloat`, but the API requires `int()` for `maxTokens`, `maxToolCalls`, `maxWallclockSec`, and `maxTurns`. Typing `1000.5` returned a cryptic Zod error to the toast and the update was lost. Added `intOrNull` (rounds) in `mission-edit-sheet.tsx`, `mission-template-install-dialog.tsx`, and `app/missions/page.tsx`. `maxUsd` still accepts decimals.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@swarmclawai/swarmclaw",
-  "version": "1.5.55",
+  "version": "1.5.57",
   "description": "Build and run autonomous AI agents with OpenClaw, Hermes, multiple model providers, orchestration, delegation, memory, skills, schedules, and chat connectors.",
   "main": "electron-dist/main.js",
   "license": "MIT",

package/src/app/api/chatrooms/[id]/route.ts

@@ -9,6 +9,7 @@ import {
   ensureChatroomRoutingGuidance,
   synthesizeRoutingGuidanceFromRules,
 } from '@/lib/server/chatrooms/chatroom-routing'
+import { ChatroomUpdateSchema, formatZodError } from '@/lib/validation/schemas'
 
 export async function GET(_req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
@@ -25,14 +26,23 @@ export async function GET(_req: Request, { params }: { params: Promise<{ id: str
 
 export async function PUT(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const { data: body, error } = await safeParseBody<Record<string, unknown>>(req)
+  const { data: raw, error } = await safeParseBody<Record<string, unknown>>(req)
   if (error) return error
+  const parsed = ChatroomUpdateSchema.safeParse(raw)
+  if (!parsed.success) return NextResponse.json(formatZodError(parsed.error), { status: 400 })
+
+  const rawKeys = new Set(Object.keys(raw ?? {}))
+  const body: Record<string, unknown> = {}
+  for (const [key, value] of Object.entries(parsed.data)) {
+    if (rawKeys.has(key)) body[key] = value
+  }
+
   const chatrooms = loadChatrooms()
   const chatroom = chatrooms[id]
   if (!chatroom) return notFound()
 
-  if (body.name !== undefined) chatroom.name = body.name
-  if (body.description !== undefined) chatroom.description = body.description
+  if (body.name !== undefined) chatroom.name = body.name as string
+  if (body.description !== undefined) chatroom.description = body.description as string
   if (body.chatMode !== undefined) {
     chatroom.chatMode = body.chatMode === 'parallel' ? 'parallel' : 'sequential'
   }

package/src/app/api/chatrooms/refusal-policy/route.ts

@@ -0,0 +1,43 @@
+import { NextResponse } from 'next/server'
+import { safeParseBody } from '@/lib/server/safe-parse-body'
+import { setChatroomRefusalPolicy, handleAgentRefusal } from '@/lib/server/chatrooms/chatroom-refusal'
+
+export const dynamic = 'force-dynamic'
+
+const VALID_POLICIES = new Set(['reroute', 'escalate', 'human'])
+
+export async function POST(req: Request) {
+  const { data: body, error } = await safeParseBody(req)
+  if (error) return error
+  const chatroomId = typeof body?.chatroomId === 'string' ? body.chatroomId : null
+  const policy = typeof body?.policy === 'string' ? body.policy : null
+  if (!chatroomId) return NextResponse.json({ error: 'chatroomId required' }, { status: 400 })
+  if (!policy || !VALID_POLICIES.has(policy)) {
+    return NextResponse.json({ error: 'policy must be reroute|escalate|human' }, { status: 400 })
+  }
+  const escalationTargetAgentId = typeof body?.escalationTargetAgentId === 'string'
+    ? body.escalationTargetAgentId
+    : null
+  const room = setChatroomRefusalPolicy(
+    chatroomId,
+    policy as 'reroute' | 'escalate' | 'human',
+    escalationTargetAgentId,
+  )
+  if (!room) return NextResponse.json({ error: 'chatroom not found' }, { status: 404 })
+  return NextResponse.json({ chatroom: room })
+}
+
+export async function PUT(req: Request) {
+  // Trigger a refusal handling decision (used by agent runtime + tests).
+  const { data: body, error } = await safeParseBody(req)
+  if (error) return error
+  const chatroomId = typeof body?.chatroomId === 'string' ? body.chatroomId : null
+  const refusingAgentId = typeof body?.refusingAgentId === 'string' ? body.refusingAgentId : null
+  const taskOrTopic = typeof body?.taskOrTopic === 'string' ? body.taskOrTopic : ''
+  const reason = typeof body?.reason === 'string' ? body.reason : 'unspecified'
+  if (!chatroomId || !refusingAgentId) {
+    return NextResponse.json({ error: 'chatroomId and refusingAgentId required' }, { status: 400 })
+  }
+  const decision = handleAgentRefusal({ chatroomId, refusingAgentId, taskOrTopic, reason })
+  return NextResponse.json({ decision })
+}

package/src/app/api/config-versions/restore/route.ts

@@ -0,0 +1,26 @@
+import { NextResponse } from 'next/server'
+import { safeParseBody } from '@/lib/server/safe-parse-body'
+import { getVersion } from '@/lib/server/config-versions/config-version-repository'
+import { updateAgent } from '@/lib/server/agents/agent-service'
+
+export const dynamic = 'force-dynamic'
+
+export async function POST(req: Request) {
+  const { data: body, error } = await safeParseBody(req)
+  if (error) return error
+  const versionId = typeof body?.versionId === 'string' ? body.versionId : null
+  if (!versionId) return NextResponse.json({ error: 'versionId required' }, { status: 400 })
+
+  const version = getVersion(versionId)
+  if (!version) return NextResponse.json({ error: 'version not found' }, { status: 404 })
+
+  if (version.entityKind === 'agent') {
+    const restored = updateAgent(version.entityId, version.snapshot)
+    if (!restored) return NextResponse.json({ error: 'agent not found' }, { status: 404 })
+    return NextResponse.json({ ok: true, restored: { kind: 'agent', id: version.entityId } })
+  }
+
+  return NextResponse.json({
+    error: `Restore not yet implemented for kind=${version.entityKind}`,
+  }, { status: 501 })
+}

package/src/app/api/config-versions/route.ts

@@ -0,0 +1,21 @@
+import { NextResponse } from 'next/server'
+import { listVersionsForEntity } from '@/lib/server/config-versions/config-version-repository'
+import type { VersionedEntityKind } from '@/types/config-version'
+
+export const dynamic = 'force-dynamic'
+
+const VALID_KINDS = new Set<VersionedEntityKind>([
+  'agent', 'extension', 'connector', 'mcp_server', 'chatroom', 'project',
+])
+
+export async function GET(req: Request) {
+  const { searchParams } = new URL(req.url)
+  const kind = searchParams.get('entityKind') as VersionedEntityKind | null
+  const id = searchParams.get('entityId')
+  if (!kind || !VALID_KINDS.has(kind)) {
+    return NextResponse.json({ error: 'entityKind required (agent|extension|connector|mcp_server|chatroom|project)' }, { status: 400 })
+  }
+  if (!id) return NextResponse.json({ error: 'entityId required' }, { status: 400 })
+  const versions = listVersionsForEntity(kind, id)
+  return NextResponse.json({ versions })
+}

package/src/app/api/documents/[id]/route.ts

@@ -1,11 +1,7 @@
 import { NextResponse } from 'next/server'
 import crypto from 'crypto'
 import { loadDocuments, saveDocuments, upsertDocumentRevision } from '@/lib/server/storage'
-
-function normalizeObject(value: unknown): Record<string, unknown> {
-  if (!value || typeof value !== 'object' || Array.isArray(value)) return {}
-  return value as Record<string, unknown>
-}
+import { DocumentUpdateSchema, formatZodError } from '@/lib/validation/schemas'
 
 export async function GET(_req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
@@ -17,13 +13,22 @@ export async function GET(_req: Request, { params }: { params: Promise<{ id: str
 
 export async function PUT(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const body = await req.json().catch(() => ({}))
+  const raw = await req.json().catch(() => null)
+  if (!raw || typeof raw !== 'object' || Array.isArray(raw)) {
+    return NextResponse.json({ error: 'Invalid or missing request body' }, { status: 400 })
+  }
+  const parsed = DocumentUpdateSchema.safeParse(raw)
+  if (!parsed.success) return NextResponse.json(formatZodError(parsed.error), { status: 400 })
+
+  const rawKeys = new Set(Object.keys(raw))
+  const body = parsed.data
+
   const docs = loadDocuments()
   const doc = docs[id]
   if (!doc) return NextResponse.json({ error: 'Document not found' }, { status: 404 })
 
   // Snapshot previous content as a revision before updating
-  if (body.content !== undefined && body.content !== doc.content) {
+  if (rawKeys.has('content') && body.content !== undefined && body.content !== doc.content) {
     const prevVersion = typeof doc.currentVersion === 'number' ? doc.currentVersion : 0
     const revisionId = crypto.randomBytes(8).toString('hex')
     upsertDocumentRevision(revisionId, {
@@ -32,18 +37,18 @@ export async function PUT(req: Request, { params }: { params: Promise<{ id: stri
       version: prevVersion,
       content: doc.content,
       createdAt: Date.now(),
-      createdBy: typeof body.createdBy === 'string' ? body.createdBy : null,
+      createdBy: body.createdBy ?? null,
     })
     doc.currentVersion = prevVersion + 1
   }
 
-  if (body.title !== undefined) doc.title = body.title
-  if (body.fileName !== undefined) doc.fileName = body.fileName
-  if (body.sourcePath !== undefined) doc.sourcePath = body.sourcePath
-  if (body.content !== undefined) doc.content = body.content
-  if (body.method !== undefined) doc.method = body.method
-  if (body.metadata !== undefined) doc.metadata = normalizeObject(body.metadata)
-  doc.textLength = typeof body.textLength === 'number'
+  if (rawKeys.has('title') && body.title !== undefined) doc.title = body.title
+  if (rawKeys.has('fileName')) doc.fileName = body.fileName ?? null
+  if (rawKeys.has('sourcePath')) doc.sourcePath = body.sourcePath ?? null
+  if (rawKeys.has('content') && body.content !== undefined) doc.content = body.content
+  if (rawKeys.has('method') && body.method !== undefined) doc.method = body.method
+  if (rawKeys.has('metadata') && body.metadata !== undefined) doc.metadata = body.metadata
+  doc.textLength = rawKeys.has('textLength') && body.textLength !== undefined
     ? body.textLength
     : String(doc.content || '').length
   doc.updatedAt = Date.now()

package/src/app/api/external-agents/[id]/route.ts

@@ -2,6 +2,7 @@ import { NextResponse } from 'next/server'
 import { loadExternalAgents, saveExternalAgents } from '@/lib/server/storage'
 import { mutateItem, notFound, type CollectionOps } from '@/lib/server/collection-helpers'
 import { notify } from '@/lib/server/ws-hub'
+import { ExternalAgentUpdateSchema, formatZodError } from '@/lib/validation/schemas'
 export const dynamic = 'force-dynamic'
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -9,12 +10,24 @@ const ops: CollectionOps<any> = { load: loadExternalAgents, save: saveExternalAg
 
 export async function PUT(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const body = await req.json().catch(() => ({}))
+  const raw = await req.json().catch(() => null)
+  if (!raw || typeof raw !== 'object' || Array.isArray(raw)) {
+    return NextResponse.json({ error: 'Invalid or missing request body' }, { status: 400 })
+  }
+  const parsed = ExternalAgentUpdateSchema.safeParse(raw)
+  if (!parsed.success) return NextResponse.json(formatZodError(parsed.error), { status: 400 })
+
+  const rawKeys = new Set(Object.keys(raw))
+  const body: Record<string, unknown> = {}
+  for (const [key, value] of Object.entries(parsed.data)) {
+    if (rawKeys.has(key)) body[key] = value
+  }
+
   const now = Date.now()
   const result = mutateItem(ops, id, (runtime) => {
     const action = typeof body.action === 'string' ? body.action : ''
     const nextMetadata = body.metadata && typeof body.metadata === 'object'
-      ? { ...(runtime.metadata || {}), ...body.metadata }
+      ? { ...(runtime.metadata || {}), ...(body.metadata as Record<string, unknown>) }
       : runtime.metadata
 
     const next = {

package/src/app/api/goals/[id]/route.ts

@@ -2,6 +2,7 @@ import { NextResponse } from 'next/server'
 import { safeParseBody } from '@/lib/server/safe-parse-body'
 import { getGoalById, updateGoal, deleteGoal, getGoalChain } from '@/lib/server/goals/goal-service'
 import { notFound } from '@/lib/server/collection-helpers'
+import { GoalUpdateSchema, formatZodError } from '@/lib/validation/schemas'
 export const dynamic = 'force-dynamic'
 
 export async function GET(_req: Request, { params }: { params: Promise<{ id: string }> }) {
@@ -14,9 +15,18 @@ export async function GET(_req: Request, { params }: { params: Promise<{ id: str
 
 export async function PATCH(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const { data: body, error } = await safeParseBody<Record<string, unknown>>(req)
+  const { data: raw, error } = await safeParseBody<Record<string, unknown>>(req)
   if (error) return error
-  const updated = updateGoal(id, body)
+  const parsed = GoalUpdateSchema.safeParse(raw)
+  if (!parsed.success) return NextResponse.json(formatZodError(parsed.error), { status: 400 })
+
+  const rawKeys = new Set(Object.keys(raw ?? {}))
+  const patch: Record<string, unknown> = {}
+  for (const [key, value] of Object.entries(parsed.data)) {
+    if (rawKeys.has(key)) patch[key] = value
+  }
+
+  const updated = updateGoal(id, patch)
   if (!updated) return notFound()
   return NextResponse.json(updated)
 }

package/src/app/api/providers/[id]/route.ts

@@ -4,6 +4,7 @@ import { loadProviderConfigs, saveProviderConfigs } from '@/lib/server/storage'
 import { mutateItem, deleteItem, notFound, badRequest, type CollectionOps } from '@/lib/server/collection-helpers'
 import { safeParseBody } from '@/lib/server/safe-parse-body'
 import { notify } from '@/lib/server/ws-hub'
+import { ProviderUpdateSchema, formatZodError } from '@/lib/validation/schemas'
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 const ops: CollectionOps<any> = { load: loadProviderConfigs, save: saveProviderConfigs, topic: 'providers' }
@@ -18,8 +19,17 @@ export async function GET(_req: Request, { params }: { params: Promise<{ id: str
 
 export async function PUT(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const { data: body, error } = await safeParseBody<Record<string, unknown>>(req)
+  const { data: raw, error } = await safeParseBody<Record<string, unknown>>(req)
   if (error) return error
+  const parsed = ProviderUpdateSchema.safeParse(raw)
+  if (!parsed.success) return NextResponse.json(formatZodError(parsed.error), { status: 400 })
+
+  const rawKeys = new Set(Object.keys(raw ?? {}))
+  const body: Record<string, unknown> = {}
+  for (const [key, value] of Object.entries(parsed.data)) {
+    if (rawKeys.has(key)) body[key] = value
+  }
+
   if (!ops.load()[id]) {
     const builtin = PROVIDERS[id]
     if (!builtin) return notFound()

package/src/app/api/secrets/[id]/route.ts

@@ -2,6 +2,7 @@ import { NextResponse } from 'next/server'
 import { loadSecrets, saveSecrets } from '@/lib/server/storage'
 import { mutateItem, deleteItem, notFound, type CollectionOps } from '@/lib/server/collection-helpers'
 import { safeParseBody } from '@/lib/server/safe-parse-body'
+import { SecretUpdateSchema, formatZodError } from '@/lib/validation/schemas'
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 const ops: CollectionOps<any> = { load: loadSecrets, save: saveSecrets }
@@ -25,14 +26,19 @@ export async function DELETE(_req: Request, { params }: { params: Promise<{ id:
 
 export async function PUT(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const { data: body, error } = await safeParseBody<Record<string, unknown>>(req)
+  const { data: raw, error } = await safeParseBody<Record<string, unknown>>(req)
   if (error) return error
+  const parsed = SecretUpdateSchema.safeParse(raw)
+  if (!parsed.success) return NextResponse.json(formatZodError(parsed.error), { status: 400 })
+  const rawKeys = new Set(Object.keys(raw ?? {}))
+  const body = parsed.data
+
   const result = mutateItem(ops, id, (secret) => {
-    if (body.name !== undefined) secret.name = body.name
-    if (body.service !== undefined) secret.service = body.service
-    if (body.scope !== undefined) secret.scope = body.scope
-    if (body.agentIds !== undefined) secret.agentIds = body.agentIds
-    if (body.projectId !== undefined) secret.projectId = body.projectId || undefined
+    if (rawKeys.has('name') && body.name !== undefined) secret.name = body.name
+    if (rawKeys.has('service') && body.service !== undefined) secret.service = body.service
+    if (rawKeys.has('scope') && body.scope !== undefined) secret.scope = body.scope
+    if (rawKeys.has('agentIds') && body.agentIds !== undefined) secret.agentIds = body.agentIds
+    if (rawKeys.has('projectId')) secret.projectId = body.projectId || undefined
     secret.updatedAt = Date.now()
     return secret
   })

package/src/app/api/secrets/route.ts

@@ -2,6 +2,7 @@ import { NextResponse } from 'next/server'
 import { genId } from '@/lib/id'
 import { loadSecrets, saveSecrets, encryptKey } from '@/lib/server/storage'
 import { safeParseBody } from '@/lib/server/safe-parse-body'
+import { SecretCreateSchema, formatZodError } from '@/lib/validation/schemas'
 export const dynamic = 'force-dynamic'
 
 
@@ -18,16 +19,20 @@ export async function GET(_req: Request) {
 }
 
 export async function POST(req: Request) {
-  const { data: body, error } = await safeParseBody<{ value?: string; name?: string; service?: string; scope?: string; agentIds?: string[]; projectId?: string }>(req)
+  const { data: raw, error } = await safeParseBody<Record<string, unknown>>(req)
   if (error) return error
-  const id = genId()
-  const now = Date.now()
-  const secrets = loadSecrets()
+  const parsed = SecretCreateSchema.safeParse(raw)
+  if (!parsed.success) return NextResponse.json(formatZodError(parsed.error), { status: 400 })
+  const body = parsed.data
 
-  if (!body.value?.trim()) {
+  if (!body.value.trim()) {
     return NextResponse.json({ error: 'value is required' }, { status: 400 })
   }
 
+  const id = genId()
+  const now = Date.now()
+  const secrets = loadSecrets()
+
   secrets[id] = {
     id,
     name: body.name || 'Unnamed Secret',

package/src/app/api/task-workflow-states/route.ts

@@ -0,0 +1,69 @@
+import { NextResponse } from 'next/server'
+import { genId } from '@/lib/id'
+import { safeParseBody } from '@/lib/server/safe-parse-body'
+import {
+  deleteWorkflowState,
+  listWorkflowStates,
+  resetWorkflowStatesToDefaults,
+  upsertWorkflowState,
+} from '@/lib/server/tasks/workflow-state-repository'
+import type { WorkflowState, WorkflowStateCategory } from '@/types/workflow-state'
+
+export const dynamic = 'force-dynamic'
+
+const VALID_CATEGORIES = new Set<WorkflowStateCategory>([
+  'triage', 'backlog', 'unstarted', 'started', 'completed', 'cancelled',
+])
+
+function asString(value: unknown): string | null {
+  return typeof value === 'string' && value.trim() ? value.trim() : null
+}
+
+export async function GET(req: Request) {
+  const { searchParams } = new URL(req.url)
+  const projectId = searchParams.get('projectId')
+  const states = listWorkflowStates(
+    projectId ? { projectId } : undefined,
+  )
+  return NextResponse.json({ states })
+}
+
+export async function POST(req: Request) {
+  const { data: body, error } = await safeParseBody(req)
+  if (error) return error
+  const label = asString(body?.label)
+  const categoryRaw = asString(body?.category) as WorkflowStateCategory | null
+  if (!label) return NextResponse.json({ error: 'label is required' }, { status: 400 })
+  if (!categoryRaw || !VALID_CATEGORIES.has(categoryRaw)) {
+    return NextResponse.json({ error: 'category must be one of triage|backlog|unstarted|started|completed|cancelled' }, { status: 400 })
+  }
+  const id = asString(body?.id) || genId()
+  const now = Date.now()
+  const state: WorkflowState = {
+    id,
+    label,
+    category: categoryRaw,
+    projectId: asString(body?.projectId),
+    color: asString(body?.color),
+    position: typeof body?.position === 'number' ? body.position : undefined,
+    autoArchiveAfterDays: typeof body?.autoArchiveAfterDays === 'number' ? body.autoArchiveAfterDays : null,
+    createdAt: now,
+    updatedAt: now,
+  }
+  const saved = upsertWorkflowState(state)
+  return NextResponse.json({ state: saved })
+}
+
+export async function DELETE(req: Request) {
+  const { searchParams } = new URL(req.url)
+  const id = searchParams.get('id')
+  if (id) {
+    const removed = deleteWorkflowState(id)
+    return NextResponse.json({ ok: removed })
+  }
+  if (searchParams.get('reset') === 'true') {
+    resetWorkflowStatesToDefaults()
+    return NextResponse.json({ ok: true, reset: true })
+  }
+  return NextResponse.json({ error: 'id or reset=true required' }, { status: 400 })
+}

package/src/app/api/tts/route.test.ts

@@ -80,3 +80,53 @@ test('tts routes reject empty text with a validation error', () => {
   assert.equal(output.streamPayload.error, 'Validation failed')
   assert.deepEqual(output.streamPayload.issues, [{ path: 'text', message: 'No text provided' }])
 })
+
+test('tts routes return a JSON error when no ElevenLabs API key is configured', () => {
+  // Regression: both routes previously returned the raw error string via
+  // `new NextResponse(message, { status: 500 })`, which serialized to a
+  // `{"type":"Buffer","data":[...]}` blob on the CLI side because the response
+  // had no content-type. They must now return a proper JSON error body.
+  const output = runWithTempDataDir<{
+    ttsStatus: number
+    ttsContentType: string | null
+    ttsPayload: { error?: string }
+    streamStatus: number
+    streamContentType: string | null
+    streamPayload: { error?: string }
+  }>(`
+    delete process.env.ELEVENLABS_API_KEY
+    const ttsRouteMod = await import('./src/app/api/tts/route')
+    const ttsStreamRouteMod = await import('./src/app/api/tts/stream/route')
+    const ttsRoute = ttsRouteMod.default || ttsRouteMod
+    const ttsStreamRoute = ttsStreamRouteMod.default || ttsStreamRouteMod
+
+    const ttsResponse = await ttsRoute.POST(new Request('http://local/api/tts', {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ text: 'hello' }),
+    }))
+
+    const ttsStreamResponse = await ttsStreamRoute.POST(new Request('http://local/api/tts/stream', {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ text: 'hello' }),
+    }))
+
+    console.log(JSON.stringify({
+      ttsStatus: ttsResponse.status,
+      ttsContentType: ttsResponse.headers.get('content-type'),
+      ttsPayload: await ttsResponse.json(),
+      streamStatus: ttsStreamResponse.status,
+      streamContentType: ttsStreamResponse.headers.get('content-type'),
+      streamPayload: await ttsStreamResponse.json(),
+    }))
+  `, { prefix: 'swarmclaw-tts-route-' })
+
+  assert.equal(output.ttsStatus, 500)
+  assert.ok(output.ttsContentType?.includes('application/json'), `expected JSON content-type, got ${output.ttsContentType}`)
+  assert.match(output.ttsPayload.error ?? '', /ElevenLabs API key/i)
+
+  assert.equal(output.streamStatus, 500)
+  assert.ok(output.streamContentType?.includes('application/json'), `expected JSON content-type, got ${output.streamContentType}`)
+  assert.match(output.streamPayload.error ?? '', /ElevenLabs API key/i)
+})

package/src/app/api/tts/route.ts

@@ -23,6 +23,9 @@ export async function POST(req: Request) {
       },
     })
   } catch (err: unknown) {
-    return new NextResponse(explainElevenLabsError(err), { status: 500 })
+    return NextResponse.json(
+      { error: explainElevenLabsError(err) },
+      { status: 500 },
+    )
   }
 }

package/src/app/api/tts/stream/route.ts

@@ -1,3 +1,4 @@
+import { NextResponse } from 'next/server'
 import { z } from 'zod'
 
 import { explainElevenLabsError, requestElevenLabsMp3Stream } from '@/lib/server/elevenlabs'
@@ -22,6 +23,9 @@ export async function POST(req: Request) {
       },
     })
   } catch (err: unknown) {
-    return new Response(explainElevenLabsError(err), { status: 500 })
+    return NextResponse.json(
+      { error: explainElevenLabsError(err) },
+      { status: 500 },
+    )
   }
 }

package/src/app/api/usage/by-code/route.ts

@@ -0,0 +1,32 @@
+import { NextResponse } from 'next/server'
+import { listObservedBillingCodes, rollupCostByBillingCode } from '@/lib/server/usage/cost-attribution'
+
+export const dynamic = 'force-dynamic'
+
+const RANGE_MS: Record<string, number> = {
+  '24h': 24 * 60 * 60 * 1000,
+  '7d': 7 * 24 * 60 * 60 * 1000,
+  '30d': 30 * 24 * 60 * 60 * 1000,
+  'all': Number.POSITIVE_INFINITY,
+}
+
+export async function GET(req: Request) {
+  const { searchParams } = new URL(req.url)
+  const codesParam = searchParams.get('codes')
+  const codes = codesParam
+    ? codesParam.split(',').map((s) => s.trim()).filter(Boolean)
+    : undefined
+  const rangeParam = searchParams.get('range') ?? 'all'
+  const rangeMs = RANGE_MS[rangeParam] ?? Number.POSITIVE_INFINITY
+  const sinceMs = Number.isFinite(rangeMs) ? Date.now() - rangeMs : 0
+
+  const rollups = rollupCostByBillingCode({ codes, sinceMs })
+  const observed = listObservedBillingCodes()
+
+  return NextResponse.json({
+    range: rangeParam,
+    codes: codes ?? null,
+    rollups,
+    observedCodes: observed,
+  })
+}

package/src/app/api/workspaces/active/route.ts

@@ -0,0 +1,19 @@
+import { NextResponse } from 'next/server'
+import { safeParseBody } from '@/lib/server/safe-parse-body'
+import { getActiveWorkspace, setActiveWorkspace } from '@/lib/server/workspaces/workspace-registry'
+
+export const dynamic = 'force-dynamic'
+
+export async function GET() {
+  return NextResponse.json({ workspace: getActiveWorkspace() })
+}
+
+export async function POST(req: Request) {
+  const { data: body, error } = await safeParseBody(req)
+  if (error) return error
+  const id = typeof body?.id === 'string' ? body.id : null
+  if (!id) return NextResponse.json({ error: 'id required' }, { status: 400 })
+  const workspace = setActiveWorkspace(id)
+  if (!workspace) return NextResponse.json({ error: 'workspace not found' }, { status: 404 })
+  return NextResponse.json({ workspace })
+}