fix: add domainId to project DTOs and project create UI

apps/api/package.json

@@ -62,7 +62,6 @@
     "discord.js": "^14.25.1",
     "dockerode": "^4.0.9",
     "gray-matter": "^4.0.3",
-    "helmet": "^8.1.0",
     "highlight.js": "^11.11.1",
     "ioredis": "^5.9.2",
     "jose": "^6.1.3",

apps/api/src/auth/auth.controller.ts

@@ -106,7 +106,7 @@ export class AuthController {
   // @SkipCsrf avoids double-protection conflicts.
   // See: https://www.better-auth.com/docs/reference/security
   @SkipCsrf()
-  @Throttle({ default: { ttl: 60_000, limit: 5 } })
+  @Throttle({ strict: { limit: 10, ttl: 60000 } })
   async handleAuth(@Req() req: ExpressRequest, @Res() res: ExpressResponse): Promise<void> {
     // Extract client IP for logging
     const clientIp = this.getClientIp(req);

apps/api/src/main.ts

@@ -1,7 +1,6 @@
 import { NestFactory } from "@nestjs/core";
 import { RequestMethod, ValidationPipe } from "@nestjs/common";
 import cookieParser from "cookie-parser";
-import helmet from "helmet";
 import { AppModule } from "./app.module";
 import { getTrustedOrigins } from "./auth/auth.config";
 import { GlobalExceptionFilter } from "./filters/global-exception.filter";
@@ -34,14 +33,6 @@ async function bootstrap() {
   // Enable cookie parser for session handling
   app.use(cookieParser());
 
-  // Enable helmet security headers
-  app.use(
-    helmet({
-      contentSecurityPolicy: false, // Let Next.js handle CSP
-      crossOriginEmbedderPolicy: false,
-    })
-  );
-
   // Enable global validation pipe with transformation
   app.useGlobalPipes(
     new ValidationPipe({

apps/web/src/lib/api/chat.ts

@@ -1,6 +1,6 @@
 /**
  * Chat API client
- * Handles LLM chat interactions via /api/chat/stream (streaming) and /api/llm/chat (fallback)
+ * Handles LLM chat interactions via /api/llm/chat
  */
 
 import { apiPost, fetchCsrfToken, getCsrfToken } from "./client";
@@ -33,28 +33,9 @@ export interface ChatResponse {
 }
 
 /**
- * Parsed SSE data chunk from OpenAI-compatible stream
+ * Parsed SSE data chunk from the LLM stream
  */
-interface OpenAiSseChunk {
-  id?: string;
-  object?: string;
-  created?: number;
-  model?: string;
-  choices?: {
-    index: number;
-    delta?: {
-      role?: string;
-      content?: string;
-    };
-    finish_reason?: string | null;
-  }[];
-  error?: string;
-}
-
-/**
- * Parsed SSE data chunk from legacy /api/llm/chat stream
- */
-interface LegacySseChunk {
+interface SseChunk {
   error?: string;
   message?: {
     role: string;
@@ -65,17 +46,7 @@ interface LegacySseChunk {
 }
 
 /**
- * Parsed SSE data chunk with simple token format
- */
-interface SimpleTokenChunk {
-  token?: string;
-  done?: boolean;
-  error?: string;
-}
-
-/**
- * Send a chat message to the LLM (non-streaming fallback)
- * Uses /api/llm/chat endpoint which supports both streaming and non-streaming
+ * Send a chat message to the LLM
  */
 export async function sendChatMessage(request: ChatRequest): Promise<ChatResponse> {
   return apiPost<ChatResponse>("/api/llm/chat", request);
@@ -95,20 +66,11 @@ async function ensureCsrfTokenForStream(): Promise<string> {
 /**
  * Stream a chat message from the LLM using SSE over fetch.
  *
- * Uses /api/chat/stream endpoint which proxies to OpenClaw.
- * The backend responds with Server-Sent Events in one of these formats:
- *
- * OpenAI-compatible format:
- *   data: {"choices":[{"delta":{"content":"token"}}],...}\n\n
- *   data: [DONE]\n\n
- *
- * Legacy format (from /api/llm/chat):
- *   data: {"message":{"content":"token"},...}\n\n
- *   data: [DONE]\n\n
- *
- * Simple token format:
- *   data: {"token":"..."}\n\n
- *   data: {"done":true}\n\n
+ * The backend accepts stream: true in the request body and responds with
+ * Server-Sent Events:
+ *   data: {"message":{"content":"token"},...}\n\n  for each token
+ *   data: [DONE]\n\n  when the stream is complete
+ *   data: {"error":"message"}\n\n  on error
  *
  * @param request - Chat request (stream field will be forced to true)
  * @param onChunk - Called with each token string as it arrives
@@ -127,14 +89,14 @@ export function streamChatMessage(
     try {
       const csrfToken = await ensureCsrfTokenForStream();
 
-      const response = await fetch(`${API_BASE_URL}/api/chat/stream`, {
+      const response = await fetch(`${API_BASE_URL}/api/llm/chat`, {
         method: "POST",
         headers: {
           "Content-Type": "application/json",
           "X-CSRF-Token": csrfToken,
         },
         credentials: "include",
-        body: JSON.stringify({ messages: request.messages, stream: true }),
+        body: JSON.stringify({ ...request, stream: true }),
         signal: signal ?? null,
       });
 
@@ -170,25 +132,6 @@ export function streamChatMessage(
           const trimmed = part.trim();
           if (!trimmed) continue;
 
-          // Handle event: error format
-          const eventMatch = /^event:\s*(\S+)\n/i.exec(trimmed);
-          const dataMatch = /^data:\s*(.+)$/im.exec(trimmed);
-
-          if (eventMatch?.[1] === "error" && dataMatch?.[1]) {
-            try {
-              const errorData = JSON.parse(dataMatch[1].trim()) as {
-                error?: string;
-              };
-              throw new Error(errorData.error ?? "Stream error occurred");
-            } catch (parseErr) {
-              if (parseErr instanceof SyntaxError) {
-                throw new Error("Stream error occurred");
-              }
-              throw parseErr;
-            }
-          }
-
-          // Standard SSE format: data: {...}
           for (const line of trimmed.split("\n")) {
             if (!line.startsWith("data: ")) continue;
 
@@ -200,39 +143,14 @@ export function streamChatMessage(
             }
 
             try {
-              const parsed: unknown = JSON.parse(data);
+              const parsed = JSON.parse(data) as SseChunk;
 
-              // Handle OpenAI format (from /api/chat/stream via OpenClaw)
-              const openAiChunk = parsed as OpenAiSseChunk;
-              if (openAiChunk.choices?.[0]?.delta?.content) {
-                onChunk(openAiChunk.choices[0].delta.content);
-                continue;
+              if (parsed.error) {
+                throw new Error(parsed.error);
               }
 
-              // Handle legacy format (from /api/llm/chat)
-              const legacyChunk = parsed as LegacySseChunk;
-              if (legacyChunk.message?.content) {
-                onChunk(legacyChunk.message.content);
-                continue;
-              }
-
-              // Handle simple token format
-              const simpleChunk = parsed as SimpleTokenChunk;
-              if (simpleChunk.token) {
-                onChunk(simpleChunk.token);
-                continue;
-              }
-
-              // Handle done flag in simple format
-              if (simpleChunk.done === true) {
-                onComplete();
-                return;
-              }
-
-              // Handle error in any format
-              const error = openAiChunk.error ?? legacyChunk.error ?? simpleChunk.error;
-              if (error) {
-                throw new Error(error);
+              if (parsed.message?.content) {
+                onChunk(parsed.message.content);
               }
             } catch (parseErr) {
               if (parseErr instanceof SyntaxError) {
@@ -244,7 +162,7 @@ export function streamChatMessage(
         }
       }
 
-      // Natural end of stream without [DONE] or done flag
+      // Natural end of stream without [DONE]
       onComplete();
     } catch (err: unknown) {
       if (err instanceof DOMException && err.name === "AbortError") {

pnpm-lock.yaml

@@ -180,9 +180,6 @@ importers:
       gray-matter:
         specifier: ^4.0.3
         version: 4.0.3
-      helmet:
-        specifier: ^8.1.0
-        version: 8.1.0
       highlight.js:
         specifier: ^11.11.1
         version: 11.11.1
@@ -5213,10 +5210,6 @@ packages:
     resolution: {integrity: sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==}
     engines: {node: '>= 0.4'}
 
-  helmet@8.1.0:
-    resolution: {integrity: sha512-jOiHyAZsmnr8LqoPGmCjYAaiuWwjAPLgY8ZX2XrmHawt99/u1y6RgrZMTeoPfpUbV96HOalYgz1qzkRbw54Pmg==}
-    engines: {node: '>=18.0.0'}
-
   highlight.js@11.11.1:
     resolution: {integrity: sha512-Xwwo44whKBVCYoliBQwaPvtd/2tYFkRQtXDWj1nackaV2JPXx3L0+Jvd8/qCJ2p+ML0/XVkJ2q+Mr+UVdpJK5w==}
     engines: {node: '>=12.0.0'}
@@ -12822,8 +12815,6 @@ snapshots:
     dependencies:
       function-bind: 1.1.2
 
-  helmet@8.1.0: {}
-
   highlight.js@11.11.1: {}
 
   html-encoding-sniffer@4.0.0: