fix(copilot): replace crypto.randomUUID() with generateId() per project rule

[voidborne-d]

Problem

AGENTS.md / CLAUDE.md forbid crypto.randomUUID():

ID Generation: Never use crypto.randomUUID(), nanoid, or uuid package. Use generateId() (UUID v4) or generateShortId() (compact) from @sim/utils/id

generateId exists for a reason: crypto.randomUUID() is unavailable on non-secure (plain HTTP) browser contexts — the root cause of #3393, where self-hosted Sim served over http://192.168.x.x:3000 white-screens with TypeError: crypto.randomUUID is not a function. PR #3397 polyfilled the client, but four copilot server-side files still call crypto.randomUUID() directly, in violation of the project rule.

apps/sim/lib/copilot/chat/persisted-message.ts   (2 sites)
apps/sim/lib/copilot/chat/post.ts                (3 sites: executionId, runId, userMessageId)
apps/sim/lib/copilot/request/tools/tables.ts     (2 sites: row_ ID prefix)
apps/sim/lib/copilot/tools/handlers/oauth.ts     (1 site: pendingCredentialDraft.id)

Fix

Replace every crypto.randomUUID() call in apps/sim/lib/copilot/** with generateId() imported from @sim/utils/id. generateId is a drop-in: it returns a lowercase RFC 4122 UUID v4 string, using crypto.randomUUID when available and falling back to crypto.getRandomValues otherwise. In tables.ts the .replace(/-/g, '') suffix is preserved so row-ID shape (row_<32-hex>) is unchanged.

Server-side Node 22 always has randomUUID, so behavior is identical today — this is about obeying the project's own hard rule and not leaving the copilot subtree as a footgun if any of these call paths ever reach a non-secure-context runtime (e.g. future edge-runtime migration, Workers, Deno, or an imported shared module).

Why small

PRs #3485 and #3574 tried to sweep the whole repo (100 / 42 files, new parallel generateId utilities); both stalled. This PR is four files, uses the canonical @sim/utils/id that already ships, and touches only the copilot subtree that was missed in the earlier cleanup. No new utilities, no behavior change.

Verification

Run from repo root:

• bun run lint:check — ✅ clean (6594 sim files checked)
• bun run format:check — ✅ clean
• bun run turbo run type-check --filter=sim — ✅ clean
• cd apps/sim && bunx vitest run lib/copilot — ✅ 40 files / 218 tests pass

Refs #3393.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Apr 23, 2026 5:04am

[cursor]

PR Summary

Low Risk
Low risk mechanical change that only alters ID generation to use generateId(); behavior should remain UUIDv4 but relies on a shared utility in a few persistence/trace/tool paths.

Overview
Replaces remaining crypto.randomUUID() calls under apps/sim/lib/copilot/** with generateId() to comply with the project’s ID-generation rule and avoid failures in non-secure/unsupported crypto.randomUUID runtimes.

This updates IDs created for persisted assistant messages and message normalization (persisted-message.ts), unified chat request execution/run/user message IDs (post.ts), generated table row IDs (tables.ts, preserving the row_<32hex> shape), and OAuth pendingCredentialDraft.id creation (oauth.ts).

^{Reviewed by Cursor Bugbot for commit 639faf0. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR replaces all crypto.randomUUID() calls in the copilot subtree (8 sites across 4 files) with generateId() from @sim/utils/id, bringing these files into compliance with the project's ID-generation rule. The generateId() utility is a verified drop-in that returns the same UUID v4 format, with a crypto.getRandomValues() fallback for non-secure contexts — no behavior change on Node 22.

Confidence Score: 5/5

Safe to merge — mechanical rule-compliance fix with no behavior change on the current server-side runtime.

All 8 substitutions are correct drop-in replacements. No remaining crypto.randomUUID() calls exist in the copilot directory. The generateId() implementation is verified to produce identical output on Node 22 while adding a secure-context fallback. No logic, schema, or API contract changes.

No files require special attention.

Important Files Changed

Filename	Overview
apps/sim/lib/copilot/chat/persisted-message.ts	Replaces 2 crypto.randomUUID() calls with generateId() — straightforward, correct substitution.
apps/sim/lib/copilot/chat/post.ts	Replaces 3 crypto.randomUUID() calls (executionId, runId, userMessageId) with generateId() — correct and complete.
apps/sim/lib/copilot/request/tools/tables.ts	Replaces 2 crypto.randomUUID().replace(/-/g, '') calls with generateId().replace(/-/g, '') — row-ID shape preserved, correct substitution.
apps/sim/lib/copilot/tools/handlers/oauth.ts	Replaces 1 crypto.randomUUID() call for pendingCredentialDraft.id with generateId() — correct substitution.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["generateId() call"] --> B{crypto.randomUUID available?}
    B -- Yes --> C["crypto.randomUUID() → UUID v4"]
    B -- No --> D["crypto.getRandomValues() → UUID v4"]
    C --> E["Return UUID string"]
    D --> E

    subgraph "Replaced call sites"
        F["persisted-message.ts ×2"]
        G["post.ts ×3"]
        H["tables.ts ×2 + .replace(/-/g,''')"]
        I["oauth.ts ×1"]
    end

    F & G & H & I --> A

Loading

_{Reviews (1): Last reviewed commit: "fix(copilot): replace crypto.randomUUID(..." | Re-trigger Greptile}

[gitguardian]

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
While these secrets were previously flagged, we no longer have a reference to the
specific commits where they were detected. Once a secret has been leaked into a git
repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.

---

^{_{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}}

[waleedlatif1]

@voidborne-d please rebase with origin staging, then we can merge

[voidborne-d]

Rebased against origin/staging — clean cherry-pick, no conflicts. Ready to merge.