From 266efddbcfef2187f2c9ef4f8b41b9a402085545 Mon Sep 17 00:00:00 2001
From: Kaito <kaito@agentbridge.local>
Date: Thu, 14 May 2026 00:08:24 +0700
Subject: [PATCH 1/5] refactor(dashboard): mark notes read with server action

---
 apps/web/app/dashboard/notes/actions.ts    | 83 ++++++++++++++++++++++
 apps/web/app/dashboard/notes/note-list.tsx | 72 ++++++++-----------
 2 files changed, 114 insertions(+), 41 deletions(-)
 create mode 100644 apps/web/app/dashboard/notes/actions.ts

diff --git a/apps/web/app/dashboard/notes/actions.ts b/apps/web/app/dashboard/notes/actions.ts
new file mode 100644
index 0000000..429ffb6
--- /dev/null
+++ b/apps/web/app/dashboard/notes/actions.ts
@@ -0,0 +1,83 @@
+"use server"
+
+import { revalidatePath } from "next/cache"
+
+import { Status } from "@/generated/prisma/enums"
+import { invalidateCompanyCache } from "@/lib/api/cache"
+import { findReviewReader } from "@/lib/api/review-reader"
+import { getSession } from "@/lib/auth"
+import { prisma } from "@/lib/prisma"
+
+type MarkNoteReadResult =
+  | { ok: true; taskId: string; readBy: string }
+  | { ok: false; error: string }
+
+export async function markDoneTaskSummaryReadAction(
+  taskId: string
+): Promise<MarkNoteReadResult> {
+  const session = await getSession()
+
+  if (!session) {
+    return { ok: false, error: "Unauthorized" }
+  }
+
+  const task = await prisma.task.findFirst({
+    where: {
+      id: taskId,
+      status: Status.done,
+      archivedAt: null,
+      note: { not: null },
+      project: { company: { userId: session.userId } },
+    },
+    select: {
+      id: true,
+      summaryUpdatedAt: true,
+      taskUpdatedAt: true,
+      project: { select: { companyId: true } },
+    },
+  })
+
+  if (!task) {
+    return { ok: false, error: "Done task note not found." }
+  }
+
+  const reviewReader = await findReviewReader(task.project.companyId)
+
+  if (!reviewReader) {
+    return { ok: false, error: "Review reader agent not found." }
+  }
+
+  const readAt = new Date()
+
+  await prisma.$transaction(async (tx) => {
+    if (!task.summaryUpdatedAt) {
+      await tx.task.update({
+        where: { id: task.id },
+        data: { summaryUpdatedAt: task.taskUpdatedAt },
+      })
+    }
+
+    await tx.taskReadMarker.upsert({
+      where: {
+        taskId_agentId_status: {
+          taskId: task.id,
+          agentId: reviewReader.id,
+          status: Status.done,
+        },
+      },
+      create: {
+        taskId: task.id,
+        agentId: reviewReader.id,
+        status: Status.done,
+        readAt,
+      },
+      update: { readAt },
+    })
+  })
+
+  await invalidateCompanyCache(task.project.companyId)
+  revalidatePath("/dashboard/notes")
+  revalidatePath(`/dashboard/projects/${task.project.companyId}`)
+
+  return { ok: true, taskId: task.id, readBy: reviewReader.AgentId }
+}
diff --git a/apps/web/app/dashboard/notes/note-list.tsx b/apps/web/app/dashboard/notes/note-list.tsx
index 61a0789..7d99b18 100644
--- a/apps/web/app/dashboard/notes/note-list.tsx
+++ b/apps/web/app/dashboard/notes/note-list.tsx
@@ -1,9 +1,8 @@
 "use client"
 
-import { useState } from "react"
+import { useState, useTransition } from "react"
 import Link from "next/link"
 import { ChevronDown } from "lucide-react"
-import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query"
 
 import { Badge } from "@/components/ui/badge"
 import { Button } from "@/components/ui/button"
@@ -14,9 +13,10 @@ import {
   CardHeader,
   CardTitle,
 } from "@/components/ui/card"
-import { apiJson } from "@/lib/api/client"
 import { cn } from "@/lib/utils"
 
+import { markDoneTaskSummaryReadAction } from "./actions"
+
 type NoteTask = {
   id: string
   name: string
@@ -47,31 +47,11 @@ type NoteListProps = {
 }
 
 export function NoteList({ companyId, reviewReader, initialNotes }: NoteListProps) {
-  const queryClient = useQueryClient()
-  const notesQuery = useQuery({
-    queryKey: ["notes", companyId],
-    queryFn: () =>
-      apiJson<{ notes: NoteTask[]; reviewReader: ReviewReader | null }>(
-        `/api/internal/notes?company=${companyId}`
-      ),
-    initialData: { notes: initialNotes, reviewReader },
-  })
-  const markReadMutation = useMutation({
-    mutationFn: (taskId: string) =>
-      apiJson(`/api/internal/notes/${taskId}/read`, {
-        method: "POST",
-      }),
-    onSuccess: (_data, taskId) => {
-      queryClient.setQueryData<{ notes: NoteTask[] }>(["notes", companyId], (current) =>
-        current
-          ? { notes: current.notes.filter((task) => task.id !== taskId) }
-          : current
-      )
-      queryClient.invalidateQueries({ queryKey: ["project"] })
-    },
-  })
-  const notes = notesQuery.data.notes
-  const currentReviewReader = notesQuery.data.reviewReader ?? reviewReader
+  const [notes, setNotes] = useState(initialNotes)
+  const [error, setError] = useState<string | null>(null)
+  const [pendingTaskId, setPendingTaskId] = useState<string | null>(null)
+  const [isPending, startTransition] = useTransition()
+  const currentReviewReader = reviewReader
   const reviewReaderLabel = currentReviewReader
     ? currentReviewReader.AgentId === "main"
       ? "Natsuki/main"
@@ -80,15 +60,12 @@ export function NoteList({ companyId, reviewReader, initialNotes }: NoteListProp
 
   return (
     <div className="space-y-4">
-      {notesQuery.isFetching ? (
-        <p className="text-sm text-muted-foreground">Refreshing notes...</p>
+      {isPending ? (
+        <p className="text-sm text-muted-foreground">Updating review marker...</p>
       ) : null}
-      {notesQuery.error ? (
+      {error ? (
         <div className="space-y-3 rounded-2xl border border-destructive/30 bg-destructive/10 p-4 text-sm text-destructive">
-          <p>{notesQuery.error.message}</p>
-          <Button type="button" variant="outline" size="sm" onClick={() => notesQuery.refetch()}>
-            Retry
-          </Button>
+          <p>{error}</p>
         </div>
       ) : null}
       {!currentReviewReader ? (
@@ -129,10 +106,26 @@ export function NoteList({ companyId, reviewReader, initialNotes }: NoteListProp
                   <Button
                     type="button"
                     size="sm"
-                    disabled={markReadMutation.isPending}
-                    onClick={() => markReadMutation.mutate(task.id)}
+                    disabled={isPending}
+                    onClick={() => {
+                      setError(null)
+                      setPendingTaskId(task.id)
+                      startTransition(async () => {
+                        const result = await markDoneTaskSummaryReadAction(task.id)
+
+                        if (result.ok) {
+                          setNotes((current) =>
+                            current.filter((item) => item.id !== task.id)
+                          )
+                        } else {
+                          setError(result.error)
+                        }
+
+                        setPendingTaskId(null)
+                      })
+                    }}
                   >
-                    {markReadMutation.isPending ? (
+                    {pendingTaskId === task.id ? (
                       "Marking..."
                     ) : (
                       `Mark reviewed by ${reviewReaderLabel}`
@@ -151,9 +144,6 @@ export function NoteList({ companyId, reviewReader, initialNotes }: NoteListProp
           </p>
         </div>
       )}
-      {markReadMutation.error ? (
-        <p className="text-sm text-destructive">{markReadMutation.error.message}</p>
-      ) : null}
     </div>
   )
 }

From 662adaebdc73df6df1b3445e13bcdcf8f8ec6118 Mon Sep 17 00:00:00 2001
From: Kaito <kaito@agentbridge.local>
Date: Thu, 14 May 2026 00:34:24 +0700
Subject: [PATCH 2/5] refactor(dashboard): migrate agents summary audit loaders

---
 apps/web/app/dashboard/agents/actions.ts      | 217 ++++++++++++++++++
 .../dashboard/agents/agent-row-actions.tsx    | 106 ++++-----
 .../web/app/dashboard/agents/agents-table.tsx | 108 +++------
 apps/web/app/dashboard/agents/page.tsx        |  15 +-
 .../dashboard/audit-logs/audit-log-list.tsx   |  41 +---
 apps/web/app/dashboard/audit-logs/page.tsx    |   2 +-
 apps/web/app/dashboard/dashboard-summary.tsx  |  42 +---
 apps/web/app/dashboard/page.tsx               |  24 +-
 8 files changed, 330 insertions(+), 225 deletions(-)
 create mode 100644 apps/web/app/dashboard/agents/actions.ts

diff --git a/apps/web/app/dashboard/agents/actions.ts b/apps/web/app/dashboard/agents/actions.ts
new file mode 100644
index 0000000..4735027
--- /dev/null
+++ b/apps/web/app/dashboard/agents/actions.ts
@@ -0,0 +1,217 @@
+"use server"
+
+import { revalidatePath } from "next/cache"
+
+import { Prisma } from "@/generated/prisma/client"
+import { createAuditLog, formatChangedFields } from "@/lib/api/audit-log"
+import { invalidateCompanyCache } from "@/lib/api/cache"
+import { getSession } from "@/lib/auth"
+import { prisma } from "@/lib/prisma"
+
+type AgentActionResult = {
+  error?: string
+}
+
+async function requireDashboardSession() {
+  const session = await getSession()
+
+  if (!session) {
+    throw new Error("Unauthorized")
+  }
+
+  return session
+}
+
+function revalidateDashboardAgentPaths(companyId?: string | null) {
+  revalidatePath("/dashboard")
+  revalidatePath("/dashboard/agents")
+  revalidatePath("/dashboard/projects")
+  if (companyId) {
+    revalidatePath(`/dashboard/agents?company=${companyId}`)
+    revalidatePath(`/dashboard/projects?company=${companyId}`)
+  }
+}
+
+export async function createAgentAction(_previousState: AgentActionResult, formData: FormData) {
+  const session = await requireDashboardSession()
+
+  const companyId = String(formData.get("companyId") ?? "")
+  const AgentId = String(formData.get("AgentId") ?? "").trim()
+  const name = String(formData.get("name") ?? "").trim()
+  const description = String(formData.get("description") ?? "").trim()
+  const position = String(formData.get("position") ?? "").trim()
+
+  if (!companyId || !AgentId || !name || !position) {
+    return { error: "Company, AgentId, name, and position are required." }
+  }
+
+  const company = await prisma.company.findFirst({
+    where: { id: companyId, userId: session.userId },
+    select: { id: true },
+  })
+
+  if (!company) {
+    return { error: "Company not found." }
+  }
+
+  const existingAgent = await prisma.agent.findUnique({
+    where: { AgentId },
+    select: { id: true },
+  })
+
+  if (existingAgent) {
+    return { error: "AgentId is already in use." }
+  }
+
+  const agent = await prisma.agent
+    .create({
+      data: {
+        companyId,
+        AgentId,
+        name,
+        description,
+        position,
+      },
+      select: {
+        id: true,
+        AgentId: true,
+        name: true,
+        description: true,
+        position: true,
+        companyId: true,
+      },
+    })
+    .catch((error: unknown) => {
+      if (error instanceof Prisma.PrismaClientKnownRequestError && error.code === "P2002") {
+        return null
+      }
+
+      throw error
+    })
+
+  if (!agent) {
+    return { error: "AgentId is already in use." }
+  }
+
+  await createAuditLog({
+    companyId,
+    action: "agent.created",
+    target: { type: "agent", id: agent.id, name: agent.name },
+    actor: { type: "user", id: session.userId, name: session.username },
+    details: `Created AgentId ${agent.AgentId}.`,
+  })
+  await invalidateCompanyCache(companyId)
+  revalidateDashboardAgentPaths(companyId)
+
+  return {}
+}
+
+export async function updateAgentAction(_previousState: AgentActionResult, formData: FormData) {
+  const session = await requireDashboardSession()
+
+  const agentId = String(formData.get("agentId") ?? "")
+  const nextAgentId = String(formData.get("AgentId") ?? "").trim()
+  const name = String(formData.get("name") ?? "").trim()
+  const description = String(formData.get("description") ?? "").trim()
+  const position = String(formData.get("position") ?? "").trim()
+
+  if (!agentId) {
+    return { error: "Agent is required." }
+  }
+
+  if (!nextAgentId || !name || !position) {
+    return { error: "AgentId, name, and position cannot be empty." }
+  }
+
+  const agent = await prisma.agent.findFirst({
+    where: {
+      id: agentId,
+      company: { userId: session.userId },
+    },
+  })
+
+  if (!agent) {
+    return { error: "Agent not found." }
+  }
+
+  if (nextAgentId !== agent.AgentId) {
+    const existing = await prisma.agent.findUnique({
+      where: { AgentId: nextAgentId },
+      select: { id: true },
+    })
+
+    if (existing) {
+      return { error: "AgentId is already in use." }
+    }
+  }
+
+  const updatedAgent = await prisma.agent.update({
+    where: { id: agent.id },
+    data: {
+      AgentId: nextAgentId,
+      name,
+      description,
+      position,
+    },
+    select: {
+      id: true,
+      AgentId: true,
+      name: true,
+      description: true,
+      position: true,
+      companyId: true,
+    },
+  })
+
+  await createAuditLog({
+    companyId: agent.companyId,
+    action: "agent.updated",
+    target: { type: "agent", id: agent.id, name: updatedAgent.name },
+    actor: { type: "user", id: session.userId, name: session.username },
+    details: formatChangedFields([
+      nextAgentId !== agent.AgentId && "AgentId",
+      name !== agent.name && "name",
+      description !== agent.description && "description",
+      position !== agent.position && "position",
+    ]),
+  })
+  await invalidateCompanyCache(agent.companyId)
+  revalidateDashboardAgentPaths(agent.companyId)
+
+  return {}
+}
+
+export async function deleteAgentAction(_previousState: AgentActionResult, formData: FormData) {
+  const session = await requireDashboardSession()
+
+  const agentId = String(formData.get("agentId") ?? "")
+
+  if (!agentId) {
+    return { error: "Agent is required." }
+  }
+
+  const agent = await prisma.agent.findFirst({
+    where: {
+      id: agentId,
+      company: { userId: session.userId },
+    },
+  })
+
+  if (!agent) {
+    return { error: "Agent not found." }
+  }
+
+  await prisma.agent.delete({ where: { id: agent.id } })
+
+  await createAuditLog({
+    companyId: agent.companyId,
+    action: "agent.deleted",
+    target: { type: "agent", id: agent.id, name: agent.name },
+    actor: { type: "user", id: session.userId, name: session.username },
+    details: `Deleted AgentId ${agent.AgentId}.`,
+  })
+  await invalidateCompanyCache(agent.companyId)
+  revalidateDashboardAgentPaths(agent.companyId)
+
+  return {}
+}
diff --git a/apps/web/app/dashboard/agents/agent-row-actions.tsx b/apps/web/app/dashboard/agents/agent-row-actions.tsx
index 5d68b97..3bd4205 100644
--- a/apps/web/app/dashboard/agents/agent-row-actions.tsx
+++ b/apps/web/app/dashboard/agents/agent-row-actions.tsx
@@ -1,7 +1,7 @@
 "use client"
 
-import { useState } from "react"
-import { useMutation, useQueryClient } from "@tanstack/react-query"
+import { useActionState, useState } from "react"
+import { useFormStatus } from "react-dom"
 import { MoreHorizontalIcon } from "lucide-react"
 
 import {
@@ -33,7 +33,8 @@ import {
 import { Input } from "@/components/ui/input"
 import { Label } from "@/components/ui/label"
 import { Textarea } from "@/components/ui/textarea"
-import { apiJson } from "@/lib/api/client"
+
+import { deleteAgentAction, updateAgentAction } from "./actions"
 
 type AgentRow = {
   id: string
@@ -45,58 +46,13 @@ type AgentRow = {
 
 type AgentRowActionsProps = {
   agent: AgentRow
-  companyId: string | null
 }
 
-export function AgentRowActions({ agent, companyId }: AgentRowActionsProps) {
+export function AgentRowActions({ agent }: AgentRowActionsProps) {
   const [editOpen, setEditOpen] = useState(false)
   const [deleteOpen, setDeleteOpen] = useState(false)
-  const queryClient = useQueryClient()
-
-  function invalidateAgentData() {
-    queryClient.invalidateQueries({ queryKey: ["agents", companyId] })
-    queryClient.invalidateQueries({
-      queryKey: ["dashboard-summary", companyId],
-    })
-    queryClient.invalidateQueries({ queryKey: ["projects", companyId] })
-    queryClient.invalidateQueries({ queryKey: ["project"] })
-  }
-
-  const editMutation = useMutation({
-    mutationFn: (payload: {
-      AgentId: string
-      name: string
-      description: string
-      position: string
-    }) =>
-      apiJson<{ agent: AgentRow }>(`/api/internal/agents/${agent.id}`, {
-        method: "PATCH",
-        body: JSON.stringify(payload),
-      }),
-    onSuccess: () => {
-      setEditOpen(false)
-      invalidateAgentData()
-    },
-  })
-  const deleteMutation = useMutation({
-    mutationFn: () =>
-      apiJson(`/api/internal/agents/${agent.id}`, {
-        method: "DELETE",
-      }),
-    onSuccess: () => {
-      setDeleteOpen(false)
-      invalidateAgentData()
-    },
-  })
-
-  function editAction(formData: FormData) {
-    editMutation.mutate({
-      AgentId: String(formData.get("AgentId") ?? ""),
-      name: String(formData.get("name") ?? ""),
-      description: String(formData.get("description") ?? ""),
-      position: String(formData.get("position") ?? ""),
-    })
-  }
+  const [editState, editAction] = useActionState(updateAgentAction, {})
+  const [deleteState, deleteAction] = useActionState(deleteAgentAction, {})
 
   return (
     <div className="flex justify-end gap-2">
@@ -133,6 +89,7 @@ export function AgentRowActions({ agent, companyId }: AgentRowActionsProps) {
             </DialogDescription>
           </DialogHeader>
           <form action={editAction} className="space-y-4">
+            <input name="agentId" type="hidden" value={agent.id} />
             <div className="space-y-2">
               <Label htmlFor={`agent-api-id-${agent.id}`}>AgentId</Label>
               <Input
@@ -175,14 +132,12 @@ export function AgentRowActions({ agent, companyId }: AgentRowActionsProps) {
                 rows={4}
               />
             </div>
-            {editMutation.error ? (
+            {editState.error ? (
               <p className="text-sm text-destructive">
-                {editMutation.error.message}
+                {editState.error}
               </p>
             ) : null}
-            <Button disabled={editMutation.isPending} type="submit">
-              {editMutation.isPending ? "Saving..." : "Save changes"}
-            </Button>
+            <SaveAgentButton />
           </form>
         </DialogContent>
       </Dialog>
@@ -196,21 +151,16 @@ export function AgentRowActions({ agent, companyId }: AgentRowActionsProps) {
               other agents.
             </AlertDialogDescription>
           </AlertDialogHeader>
-          {deleteMutation.error ? (
+          {deleteState.error ? (
             <p className="text-sm text-destructive">
-              {deleteMutation.error.message}
+              {deleteState.error}
             </p>
           ) : null}
           <AlertDialogFooter>
             <AlertDialogCancel>Cancel</AlertDialogCancel>
-            <form action={() => deleteMutation.mutate()}>
-              <AlertDialogAction
-                disabled={deleteMutation.isPending}
-                variant="destructive"
-                type="submit"
-              >
-                {deleteMutation.isPending ? "Deleting..." : "Delete"}
-              </AlertDialogAction>
+            <form action={deleteAction}>
+              <input name="agentId" type="hidden" value={agent.id} />
+              <DeleteAgentButton />
             </form>
           </AlertDialogFooter>
         </AlertDialogContent>
@@ -218,3 +168,27 @@ export function AgentRowActions({ agent, companyId }: AgentRowActionsProps) {
     </div>
   )
 }
+
+function SaveAgentButton() {
+  const { pending } = useFormStatus()
+
+  return (
+    <Button disabled={pending} type="submit">
+      {pending ? "Saving..." : "Save changes"}
+    </Button>
+  )
+}
+
+function DeleteAgentButton() {
+  const { pending } = useFormStatus()
+
+  return (
+    <AlertDialogAction
+      disabled={pending}
+      variant="destructive"
+      type="submit"
+    >
+      {pending ? "Deleting..." : "Delete"}
+    </AlertDialogAction>
+  )
+}
diff --git a/apps/web/app/dashboard/agents/agents-table.tsx b/apps/web/app/dashboard/agents/agents-table.tsx
index 8df5c08..fb6e834 100644
--- a/apps/web/app/dashboard/agents/agents-table.tsx
+++ b/apps/web/app/dashboard/agents/agents-table.tsx
@@ -1,6 +1,7 @@
 "use client"
 
-import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query"
+import { useActionState, useEffect, useRef } from "react"
+import { useFormStatus } from "react-dom"
 
 import { Button } from "@/components/ui/button"
 import {
@@ -22,8 +23,8 @@ import {
   TableRow,
 } from "@/components/ui/table"
 import { Textarea } from "@/components/ui/textarea"
-import { apiJson } from "@/lib/api/client"
 
+import { createAgentAction } from "./actions"
 import { AgentRowActions } from "./agent-row-actions"
 
 type AgentRow = {
@@ -35,49 +36,19 @@ type AgentRow = {
 }
 
 type AgentsTableProps = {
+  agents: AgentRow[]
   companyId: string | null
 }
 
-export function AgentsTable({ companyId }: AgentsTableProps) {
-  const queryClient = useQueryClient()
-  const agentsQuery = useQuery({
-    queryKey: ["agents", companyId],
-    queryFn: () =>
-      apiJson<{ agents: AgentRow[] }>(`/api/internal/agents?companyId=${companyId}`),
-    enabled: Boolean(companyId),
-  })
-  const createMutation = useMutation({
-    mutationFn: (payload: {
-      companyId: string
-      AgentId: string
-      name: string
-      description: string
-      position: string
-    }) =>
-      apiJson<{ agent: AgentRow }>("/api/internal/agents", {
-        method: "POST",
-        body: JSON.stringify(payload),
-      }),
-    onSuccess: () => {
-      queryClient.invalidateQueries({ queryKey: ["agents", companyId] })
-      queryClient.invalidateQueries({ queryKey: ["dashboard-summary", companyId] })
-      queryClient.invalidateQueries({ queryKey: ["projects", companyId] })
-      queryClient.invalidateQueries({ queryKey: ["project"] })
-    },
-  })
+export function AgentsTable({ agents, companyId }: AgentsTableProps) {
+  const formRef = useRef<HTMLFormElement>(null)
+  const [state, formAction] = useActionState(createAgentAction, {})
 
-  function action(formData: FormData) {
-    if (!companyId) return
-
-    createMutation.mutate({
-      companyId,
-      AgentId: String(formData.get("AgentId") ?? ""),
-      name: String(formData.get("name") ?? ""),
-      description: String(formData.get("description") ?? ""),
-      position: String(formData.get("position") ?? ""),
-    })
-  }
-  const currentAgents = agentsQuery.data?.agents ?? []
+  useEffect(() => {
+    if (!state.error) {
+      formRef.current?.reset()
+    }
+  }, [state])
 
   return (
     <div className="space-y-5">
@@ -101,7 +72,7 @@ export function AgentsTable({ companyId }: AgentsTableProps) {
                 The company bearer token is shared. Enter the AgentId this agent will send in the AgentId header.
               </DialogDescription>
             </DialogHeader>
-            <form action={action} className="space-y-4">
+            <form ref={formRef} action={formAction} className="space-y-4">
               <input name="companyId" type="hidden" value={companyId ?? ""} />
               <div className="space-y-2">
                 <Label htmlFor="agent-agent-id">AgentId</Label>
@@ -119,26 +90,13 @@ export function AgentsTable({ companyId }: AgentsTableProps) {
                 <Label htmlFor="agent-description">Description</Label>
                 <Textarea id="agent-description" name="description" rows={4} />
               </div>
-              {createMutation.error ? (
-                <p className="text-sm text-destructive">{createMutation.error.message}</p>
-              ) : null}
-              <Button disabled={createMutation.isPending || !companyId} type="submit">
-                {createMutation.isPending ? "Creating..." : "Create agent"}
-              </Button>
+              {state.error ? <p className="text-sm text-destructive">{state.error}</p> : null}
+              <CreateAgentButton disabled={!companyId} />
             </form>
           </DialogContent>
         </Dialog>
       </div>
 
-      {agentsQuery.isError ? (
-        <div className="rounded-2xl border border-destructive/30 bg-destructive/10 p-4 text-sm text-destructive">
-          <p>{agentsQuery.error.message}</p>
-          <Button className="mt-3" size="sm" variant="outline" onClick={() => agentsQuery.refetch()}>
-            Retry
-          </Button>
-        </div>
-      ) : null}
-
       <div className="overflow-hidden rounded-2xl border border-border">
         <Table>
           <TableHeader className="bg-muted text-xs uppercase tracking-[0.16em] text-muted-foreground">
@@ -151,10 +109,8 @@ export function AgentsTable({ companyId }: AgentsTableProps) {
             </TableRow>
           </TableHeader>
           <TableBody>
-            {agentsQuery.isLoading ? (
-              <AgentRowsSkeleton />
-            ) : currentAgents.length ? (
-              currentAgents.map((agent) => (
+            {agents.length ? (
+              agents.map((agent) => (
                 <TableRow key={agent.id}>
                   <TableCell className="font-medium">{agent.name}</TableCell>
                   <TableCell className="font-mono text-xs text-muted-foreground">
@@ -163,7 +119,7 @@ export function AgentsTable({ companyId }: AgentsTableProps) {
                   <TableCell className="text-muted-foreground">{agent.position}</TableCell>
                   <TableCell className="text-muted-foreground">{agent.description}</TableCell>
                   <TableCell className="text-right">
-                    <AgentRowActions agent={agent} companyId={companyId} />
+                    <AgentRowActions agent={agent} />
                   </TableCell>
                 </TableRow>
               ))
@@ -181,24 +137,12 @@ export function AgentsTable({ companyId }: AgentsTableProps) {
   )
 }
 
-function AgentRowsSkeleton() {
-  return Array.from({ length: 5 }, (_, index) => (
-    <TableRow key={index} aria-label="Loading agent">
-      <TableCell>
-        <div className="h-4 w-32 animate-pulse rounded bg-muted" />
-      </TableCell>
-      <TableCell>
-        <div className="h-4 w-24 animate-pulse rounded bg-muted" />
-      </TableCell>
-      <TableCell>
-        <div className="h-4 w-28 animate-pulse rounded bg-muted" />
-      </TableCell>
-      <TableCell>
-        <div className="h-4 w-48 animate-pulse rounded bg-muted" />
-      </TableCell>
-      <TableCell className="text-right">
-        <div className="ml-auto h-8 w-8 animate-pulse rounded bg-muted" />
-      </TableCell>
-    </TableRow>
-  ))
+function CreateAgentButton({ disabled }: { disabled?: boolean }) {
+  const { pending } = useFormStatus()
+
+  return (
+    <Button disabled={pending || disabled} type="submit">
+      {pending ? "Creating..." : "Create agent"}
+    </Button>
+  )
 }
diff --git a/apps/web/app/dashboard/agents/page.tsx b/apps/web/app/dashboard/agents/page.tsx
index 284413d..4e57d26 100644
--- a/apps/web/app/dashboard/agents/page.tsx
+++ b/apps/web/app/dashboard/agents/page.tsx
@@ -2,6 +2,7 @@ import { redirect } from "next/navigation"
 
 import { DashboardShell } from "@/components/dashboard/shell"
 import { getDashboardContext } from "@/lib/dashboard/companies"
+import { prisma } from "@/lib/prisma"
 
 import { AgentsTable } from "./agents-table"
 
@@ -17,6 +18,18 @@ export default async function AgentsPage({ searchParams }: AgentsPageProps) {
     redirect("/dashboard?createCompany=1")
   }
 
+  const agents = await prisma.agent.findMany({
+    where: { companyId: activeCompany.id },
+    orderBy: { name: "asc" },
+    select: {
+      id: true,
+      AgentId: true,
+      name: true,
+      description: true,
+      position: true,
+    },
+  })
+
   return (
     <DashboardShell
       companies={companies}
@@ -25,7 +38,7 @@ export default async function AgentsPage({ searchParams }: AgentsPageProps) {
       username={session.username}
     >
       <section className="rounded-3xl border border-border bg-card p-6 shadow-sm">
-        <AgentsTable companyId={activeCompany?.id ?? null} />
+        <AgentsTable agents={agents} companyId={activeCompany.id} />
       </section>
     </DashboardShell>
   )
diff --git a/apps/web/app/dashboard/audit-logs/audit-log-list.tsx b/apps/web/app/dashboard/audit-logs/audit-log-list.tsx
index a5fe65e..ef40dc9 100644
--- a/apps/web/app/dashboard/audit-logs/audit-log-list.tsx
+++ b/apps/web/app/dashboard/audit-logs/audit-log-list.tsx
@@ -1,10 +1,6 @@
 "use client"
 
-import { useQuery } from "@tanstack/react-query"
-
 import { Badge } from "@/components/ui/badge"
-import { Button } from "@/components/ui/button"
-import { apiJson } from "@/lib/api/client"
 
 type AuditLog = {
   id: string
@@ -19,43 +15,10 @@ type AuditLog = {
 }
 
 type AuditLogListProps = {
-  companyId: string
-  initialAuditLogs: AuditLog[]
+  auditLogs: AuditLog[]
 }
 
-export function AuditLogList({ companyId, initialAuditLogs }: AuditLogListProps) {
-  const auditLogQuery = useQuery({
-    queryKey: ["audit-logs", companyId],
-    queryFn: () =>
-      apiJson<{ auditLogs: AuditLog[] }>(`/api/internal/audit-logs?companyId=${companyId}`),
-    initialData: { auditLogs: initialAuditLogs },
-  })
-  const auditLogs = auditLogQuery.data.auditLogs
-
-  if (auditLogQuery.isError) {
-    return (
-      <div className="rounded-3xl border border-destructive/30 bg-destructive/5 p-6 text-sm">
-        <p className="font-medium text-destructive">Could not load audit logs.</p>
-        <p className="mt-1 text-muted-foreground">
-          {auditLogQuery.error.message || "Please try again."}
-        </p>
-        <Button className="mt-4" variant="outline" onClick={() => auditLogQuery.refetch()}>
-          Retry
-        </Button>
-      </div>
-    )
-  }
-
-  if (auditLogQuery.isLoading) {
-    return (
-      <div className="space-y-3">
-        {Array.from({ length: 5 }).map((_, index) => (
-          <div key={index} className="h-24 animate-pulse rounded-3xl bg-muted" />
-        ))}
-      </div>
-    )
-  }
-
+export function AuditLogList({ auditLogs }: AuditLogListProps) {
   if (auditLogs.length === 0) {
     return (
       <div className="rounded-3xl border border-dashed border-border bg-muted/30 p-8 text-center">
diff --git a/apps/web/app/dashboard/audit-logs/page.tsx b/apps/web/app/dashboard/audit-logs/page.tsx
index f99fe67..5d50a46 100644
--- a/apps/web/app/dashboard/audit-logs/page.tsx
+++ b/apps/web/app/dashboard/audit-logs/page.tsx
@@ -46,7 +46,7 @@ export default async function AuditLogsPage({ searchParams }: AuditLogsPageProps
           </CardDescription>
         </CardHeader>
         <CardContent>
-          <AuditLogList companyId={activeCompany.id} initialAuditLogs={auditLogs} />
+          <AuditLogList auditLogs={auditLogs} />
         </CardContent>
       </Card>
     </DashboardShell>
diff --git a/apps/web/app/dashboard/dashboard-summary.tsx b/apps/web/app/dashboard/dashboard-summary.tsx
index 03ad8b2..895ef0b 100644
--- a/apps/web/app/dashboard/dashboard-summary.tsx
+++ b/apps/web/app/dashboard/dashboard-summary.tsx
@@ -1,9 +1,3 @@
-"use client"
-
-import { useQuery } from "@tanstack/react-query"
-
-import { Button } from "@/components/ui/button"
-import { apiJson } from "@/lib/api/client"
 
 type DashboardSummary = {
   agents: number
@@ -12,21 +6,12 @@ type DashboardSummary = {
 }
 
 type DashboardSummaryProps = {
-  companyId: string | null
   companyCount: number
+  summary: DashboardSummary | null
 }
 
-export function DashboardSummary({ companyId, companyCount }: DashboardSummaryProps) {
-  const summaryQuery = useQuery({
-    queryKey: ["dashboard-summary", companyId],
-    queryFn: () =>
-      apiJson<{ summary: DashboardSummary }>(
-        `/api/internal/dashboard/summary?companyId=${companyId}`
-      ),
-    enabled: Boolean(companyId),
-  })
-
-  if (!companyId) {
+export function DashboardSummary({ companyCount, summary }: DashboardSummaryProps) {
+  if (!summary) {
     return (
       <div className="grid gap-4 md:grid-cols-3">
         <MetricCard label="Companies" value={companyCount} />
@@ -36,29 +21,16 @@ export function DashboardSummary({ companyId, companyCount }: DashboardSummaryPr
     )
   }
 
-  if (summaryQuery.isError) {
-    return (
-      <div className="rounded-2xl border border-destructive/30 bg-destructive/10 p-4 text-sm text-destructive">
-        <p>{summaryQuery.error.message}</p>
-        <Button className="mt-3" size="sm" variant="outline" onClick={() => summaryQuery.refetch()}>
-          Retry
-        </Button>
-      </div>
-    )
-  }
-
-  const summary = summaryQuery.data?.summary
-  const activeTasks = (summary?.tasks.inprogress ?? 0) + (summary?.tasks.blocked ?? 0)
+  const activeTasks = (summary.tasks.inprogress ?? 0) + (summary.tasks.blocked ?? 0)
 
   return (
     <div className="grid gap-4 md:grid-cols-3">
       <MetricCard label="Companies" value={companyCount} />
-      <MetricCard label="Agents" value={summary?.agents ?? "-"} loading={summaryQuery.isLoading} />
+      <MetricCard label="Agents" value={summary.agents} />
       <MetricCard
         label="Projects"
-        value={summary?.projects ?? "-"}
-        helper={summary ? `${activeTasks} active or blocked tasks` : undefined}
-        loading={summaryQuery.isLoading}
+        value={summary.projects}
+        helper={`${activeTasks} active or blocked tasks`}
       />
     </div>
   )
diff --git a/apps/web/app/dashboard/page.tsx b/apps/web/app/dashboard/page.tsx
index c59ad9d..5264e1f 100644
--- a/apps/web/app/dashboard/page.tsx
+++ b/apps/web/app/dashboard/page.tsx
@@ -2,6 +2,7 @@ import { BrandLogo } from "@/components/brand-logo"
 import { CreateCompanyDialog } from "@/components/dashboard/create-company-dialog"
 import { DashboardShell } from "@/components/dashboard/shell"
 import { getDashboardContext } from "@/lib/dashboard/companies"
+import { prisma } from "@/lib/prisma"
 
 import { DashboardSummary } from "./dashboard-summary"
 
@@ -12,6 +13,7 @@ type DashboardPageProps = {
 export default async function DashboardPage({ searchParams }: DashboardPageProps) {
   const { company, createCompany } = await searchParams
   const { session, companies, activeCompany } = await getDashboardContext(company)
+  const summary = activeCompany ? await getDashboardSummary(activeCompany.id) : null
 
   return (
     <DashboardShell
@@ -42,8 +44,28 @@ export default async function DashboardPage({ searchParams }: DashboardPageProps
           ) : null}
         </div>
 
-        <DashboardSummary companyId={activeCompany?.id ?? null} companyCount={companies.length} />
+        <DashboardSummary companyCount={companies.length} summary={summary} />
       </div>
     </DashboardShell>
   )
 }
+
+async function getDashboardSummary(companyId: string) {
+  const [agents, projects, tasks] = await Promise.all([
+    prisma.agent.count({ where: { companyId } }),
+    prisma.project.count({ where: { companyId } }),
+    prisma.task.groupBy({
+      by: ["status"],
+      where: { project: { companyId } },
+      _count: { _all: true },
+    }),
+  ])
+
+  const taskCounts = Object.fromEntries(tasks.map((task) => [task.status, task._count._all]))
+
+  return {
+    agents,
+    projects,
+    tasks: taskCounts,
+  }
+}

From 42f91ef3f4bcd98a25ca38762f79bd00788e23e2 Mon Sep 17 00:00:00 2001
From: Kaito <kaito@agentbridge.local>
Date: Thu, 14 May 2026 00:59:38 +0700
Subject: [PATCH 3/5] refactor(dashboard): move agents and projects to actions

---
 apps/web/app/dashboard/projects/actions.ts    | 179 ++++++++++++++++++
 .../projects/create-project-dialog.tsx        |  49 ++---
 apps/web/app/dashboard/projects/page.tsx      |  10 +-
 .../app/dashboard/projects/projects-list.tsx  | 160 +++++++++-------
 4 files changed, 297 insertions(+), 101 deletions(-)
 create mode 100644 apps/web/app/dashboard/projects/actions.ts

diff --git a/apps/web/app/dashboard/projects/actions.ts b/apps/web/app/dashboard/projects/actions.ts
new file mode 100644
index 0000000..c350e5f
--- /dev/null
+++ b/apps/web/app/dashboard/projects/actions.ts
@@ -0,0 +1,179 @@
+"use server"
+
+import { revalidatePath } from "next/cache"
+
+import { createAuditLog, formatChangedFields } from "@/lib/api/audit-log"
+import { invalidateProjectAndCompanyCache } from "@/lib/api/cache"
+import { getSession } from "@/lib/auth"
+import { prisma } from "@/lib/prisma"
+
+type ProjectRow = {
+  id: string
+  name: string
+  description: string
+}
+
+type ProjectResult =
+  | { ok: true; project: ProjectRow }
+  | { ok: false; error: string }
+
+type DeleteProjectResult =
+  | { ok: true; projectId: string }
+  | { ok: false; error: string }
+
+export async function createProjectAction(
+  formData: FormData
+): Promise<ProjectResult> {
+  const session = await getSession()
+
+  if (!session) {
+    return { ok: false, error: "Unauthorized" }
+  }
+
+  const companyId = String(formData.get("companyId") ?? "")
+  const name = String(formData.get("name") ?? "").trim()
+  const description = String(formData.get("description") ?? "").trim()
+
+  if (!companyId || !name) {
+    return { ok: false, error: "Company and project name are required." }
+  }
+
+  const company = await prisma.company.findFirst({
+    where: { id: companyId, userId: session.userId },
+    select: { id: true },
+  })
+
+  if (!company) {
+    return { ok: false, error: "Company not found." }
+  }
+
+  const project = await prisma.project.create({
+    data: {
+      companyId,
+      name,
+      description,
+    },
+    select: projectSelect,
+  })
+
+  await createAuditLog({
+    companyId,
+    action: "project.created",
+    target: { type: "project", id: project.id, name: project.name },
+    actor: { type: "user", id: session.userId, name: session.username },
+    details: description ? "Project created with a description." : "Project created.",
+  })
+  await invalidateProjectAndCompanyCache({
+    companyId,
+    projectId: project.id,
+  })
+  revalidateProjectPaths(project.id)
+
+  return { ok: true, project }
+}
+
+export async function renameProjectAction(
+  projectId: string,
+  formData: FormData
+): Promise<ProjectResult> {
+  const session = await getSession()
+
+  if (!session) {
+    return { ok: false, error: "Unauthorized" }
+  }
+
+  const name = String(formData.get("name") ?? "").trim()
+
+  if (!name) {
+    return { ok: false, error: "Project name is required." }
+  }
+
+  const project = await prisma.project.findFirst({
+    where: {
+      id: projectId,
+      company: { userId: session.userId },
+    },
+    select: { id: true, companyId: true, name: true },
+  })
+
+  if (!project) {
+    return { ok: false, error: "Project not found." }
+  }
+
+  const updatedProject = await prisma.project.update({
+    where: { id: project.id },
+    data: { name },
+    select: projectSelect,
+  })
+
+  await createAuditLog({
+    companyId: project.companyId,
+    action: "project.updated",
+    target: { type: "project", id: project.id, name: updatedProject.name },
+    actor: { type: "user", id: session.userId, name: session.username },
+    details: formatChangedFields([
+      project.name !== updatedProject.name && "name",
+    ]),
+  })
+  await invalidateProjectAndCompanyCache({
+    companyId: project.companyId,
+    projectId: project.id,
+  })
+  revalidateProjectPaths(project.id)
+
+  return { ok: true, project: updatedProject }
+}
+
+export async function deleteProjectAction(
+  projectId: string
+): Promise<DeleteProjectResult> {
+  const session = await getSession()
+
+  if (!session) {
+    return { ok: false, error: "Unauthorized" }
+  }
+
+  const project = await prisma.project.findFirst({
+    where: {
+      id: projectId,
+      company: { userId: session.userId },
+    },
+    select: { id: true, companyId: true, name: true },
+  })
+
+  if (!project) {
+    return { ok: false, error: "Project not found." }
+  }
+
+  await prisma.project.delete({ where: { id: project.id } })
+
+  await createAuditLog({
+    companyId: project.companyId,
+    action: "project.deleted",
+    target: { type: "project", id: project.id, name: project.name },
+    actor: { type: "user", id: session.userId, name: session.username },
+    details: "Project deleted.",
+  })
+  await invalidateProjectAndCompanyCache({
+    companyId: project.companyId,
+    projectId: project.id,
+  })
+  revalidateProjectPaths(project.id)
+
+  return { ok: true, projectId: project.id }
+}
+
+const projectSelect = {
+  id: true,
+  name: true,
+  description: true,
+} as const
+
+function revalidateProjectPaths(projectId?: string) {
+  revalidatePath("/dashboard")
+  revalidatePath("/dashboard/projects")
+
+  if (projectId) {
+    revalidatePath(`/dashboard/projects/${projectId}`)
+  }
+}
diff --git a/apps/web/app/dashboard/projects/create-project-dialog.tsx b/apps/web/app/dashboard/projects/create-project-dialog.tsx
index 234e7e7..60d3aaf 100644
--- a/apps/web/app/dashboard/projects/create-project-dialog.tsx
+++ b/apps/web/app/dashboard/projects/create-project-dialog.tsx
@@ -1,6 +1,6 @@
 "use client"
 
-import { useMutation, useQueryClient } from "@tanstack/react-query"
+import { useState, useTransition } from "react"
 
 import { Button } from "@/components/ui/button"
 import {
@@ -14,39 +14,42 @@ import {
 import { Input } from "@/components/ui/input"
 import { Label } from "@/components/ui/label"
 import { Textarea } from "@/components/ui/textarea"
-import { apiJson } from "@/lib/api/client"
+
+import { createProjectAction } from "./actions"
 
 
 type CreateProjectDialogProps = {
   companyId: string | null
+  onCreated?: (project: { id: string; name: string; description: string }) => void
 }
 
-export function CreateProjectDialog({ companyId }: CreateProjectDialogProps) {
-  const queryClient = useQueryClient()
-  const mutation = useMutation({
-    mutationFn: (payload: { companyId: string; name: string; description: string }) =>
-      apiJson("/api/internal/projects", {
-        method: "POST",
-        body: JSON.stringify(payload),
-      }),
-    onSuccess: () => {
-      queryClient.invalidateQueries({ queryKey: ["projects", companyId] })
-      queryClient.invalidateQueries({ queryKey: ["dashboard-summary", companyId] })
-    },
-  })
+export function CreateProjectDialog({
+  companyId,
+  onCreated,
+}: CreateProjectDialogProps) {
+  const [open, setOpen] = useState(false)
+  const [error, setError] = useState<string | null>(null)
+  const [isPending, startTransition] = useTransition()
 
   function action(formData: FormData) {
     if (!companyId) return
 
-    mutation.mutate({
-      companyId,
-      name: String(formData.get("name") ?? ""),
-      description: String(formData.get("description") ?? ""),
+    setError(null)
+    startTransition(async () => {
+      const result = await createProjectAction(formData)
+
+      if (!result.ok) {
+        setError(result.error)
+        return
+      }
+
+      onCreated?.(result.project)
+      setOpen(false)
     })
   }
 
   return (
-    <Dialog>
+    <Dialog open={open} onOpenChange={setOpen}>
       <DialogTrigger asChild>
         <Button disabled={!companyId} type="button">
           New project
@@ -69,9 +72,9 @@ export function CreateProjectDialog({ companyId }: CreateProjectDialogProps) {
             <Label htmlFor="project-description">Description</Label>
             <Textarea id="project-description" name="description" rows={4} />
           </div>
-          {mutation.error ? <p className="text-sm text-destructive">{mutation.error.message}</p> : null}
-          <Button disabled={mutation.isPending || !companyId} type="submit">
-            {mutation.isPending ? "Creating..." : "Create project"}
+          {error ? <p className="text-sm text-destructive">{error}</p> : null}
+          <Button disabled={isPending || !companyId} type="submit">
+            {isPending ? "Creating..." : "Create project"}
           </Button>
         </form>
       </DialogContent>
diff --git a/apps/web/app/dashboard/projects/page.tsx b/apps/web/app/dashboard/projects/page.tsx
index 87a1139..50553a5 100644
--- a/apps/web/app/dashboard/projects/page.tsx
+++ b/apps/web/app/dashboard/projects/page.tsx
@@ -3,7 +3,6 @@ import { redirect } from "next/navigation"
 import { DashboardShell } from "@/components/dashboard/shell"
 import {
   Card,
-  CardAction,
   CardContent,
   CardDescription,
   CardHeader,
@@ -12,7 +11,6 @@ import {
 import { getDashboardContext } from "@/lib/dashboard/companies"
 import { prisma } from "@/lib/prisma"
 
-import { CreateProjectDialog } from "./create-project-dialog"
 import { ProjectsList } from "./projects-list"
 
 type ProjectsPageProps = {
@@ -53,12 +51,12 @@ export default async function ProjectsPage({ searchParams }: ProjectsPageProps)
           <CardDescription>
             Track work and task progress for the active company.
           </CardDescription>
-          <CardAction>
-            <CreateProjectDialog companyId={activeCompany.id} />
-          </CardAction>
         </CardHeader>
         <CardContent>
-          <ProjectsList companyId={activeCompany.id} initialProjects={projects} />
+          <ProjectsList
+            companyId={activeCompany.id}
+            initialProjects={projects}
+          />
         </CardContent>
       </Card>
     </DashboardShell>
diff --git a/apps/web/app/dashboard/projects/projects-list.tsx b/apps/web/app/dashboard/projects/projects-list.tsx
index f07c7dd..d801b35 100644
--- a/apps/web/app/dashboard/projects/projects-list.tsx
+++ b/apps/web/app/dashboard/projects/projects-list.tsx
@@ -1,8 +1,7 @@
 "use client"
 
 import Link from "next/link"
-import { useState } from "react"
-import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query"
+import { useState, useTransition } from "react"
 import { MoreHorizontalIcon } from "lucide-react"
 
 import {
@@ -34,7 +33,9 @@ import {
 } from "@/components/ui/dropdown-menu"
 import { Input } from "@/components/ui/input"
 import { Label } from "@/components/ui/label"
-import { apiJson } from "@/lib/api/client"
+
+import { CreateProjectDialog } from "./create-project-dialog"
+import { deleteProjectAction, renameProjectAction } from "./actions"
 
 type ProjectRow = {
   id: string
@@ -48,31 +49,43 @@ type ProjectsListProps = {
 }
 
 export function ProjectsList({ companyId, initialProjects }: ProjectsListProps) {
-  const projectsQuery = useQuery({
-    queryKey: ["projects", companyId],
-    queryFn: () =>
-      apiJson<{ projects: ProjectRow[] }>(`/api/internal/projects?companyId=${companyId}`),
-    initialData: { projects: initialProjects },
-  })
-  const projects = projectsQuery.data.projects
-
-  if (projectsQuery.isLoading) {
-    return <ProjectsListSkeleton />
+  const [projects, setProjects] = useState(initialProjects)
+
+  function handleProjectUpdated(updatedProject: ProjectRow) {
+    setProjects((currentProjects) =>
+      currentProjects
+        .map((project) =>
+          project.id === updatedProject.id ? updatedProject : project
+        )
+        .sort((firstProject, secondProject) =>
+          firstProject.name.localeCompare(secondProject.name)
+        )
+    )
   }
 
-  if (projectsQuery.isError) {
-    return (
-      <div className="rounded-2xl border border-destructive/30 bg-destructive/10 p-4 text-sm text-destructive">
-        <p>{projectsQuery.error.message}</p>
-        <Button className="mt-3" size="sm" variant="outline" onClick={() => projectsQuery.refetch()}>
-          Retry
-        </Button>
-      </div>
+  function handleProjectDeleted(projectId: string) {
+    setProjects((currentProjects) =>
+      currentProjects.filter((project) => project.id !== projectId)
+    )
+  }
+
+  function handleProjectCreated(project: ProjectRow) {
+    setProjects((currentProjects) =>
+      [...currentProjects, project].sort((firstProject, secondProject) =>
+        firstProject.name.localeCompare(secondProject.name)
+      )
     )
   }
 
   return (
-    <div className="grid gap-4 md:grid-cols-2 xl:grid-cols-3">
+    <div className="space-y-5">
+      <div className="flex justify-end">
+        <CreateProjectDialog
+          companyId={companyId}
+          onCreated={handleProjectCreated}
+        />
+      </div>
+      <div className="grid gap-4 md:grid-cols-2 xl:grid-cols-3">
       {projects.length ? (
         projects.map((project) => (
           <Card key={project.id} className="h-full transition hover:bg-muted/40 hover:ring-foreground/20" size="sm">
@@ -83,7 +96,11 @@ export function ProjectsList({ companyId, initialProjects }: ProjectsListProps)
                   <CardDescription>{project.description || "No description"}</CardDescription>
                 </CardHeader>
               </Link>
-              <ProjectActions companyId={companyId} project={project} />
+              <ProjectActions
+                project={project}
+                onDeleted={handleProjectDeleted}
+                onUpdated={handleProjectUpdated}
+              />
             </div>
           </Card>
         ))
@@ -92,58 +109,57 @@ export function ProjectsList({ companyId, initialProjects }: ProjectsListProps)
           No projects yet.
         </p>
       )}
-    </div>
-  )
-}
-
-function ProjectsListSkeleton() {
-  return (
-    <div className="grid gap-4 md:grid-cols-2 xl:grid-cols-3" aria-label="Loading projects">
-      {Array.from({ length: 6 }, (_, index) => (
-        <Card key={index} className="h-32 animate-pulse bg-muted" size="sm" />
-      ))}
+      </div>
     </div>
   )
 }
 
 type ProjectActionsProps = {
-  companyId: string
   project: ProjectRow
+  onDeleted: (projectId: string) => void
+  onUpdated: (project: ProjectRow) => void
 }
 
-function ProjectActions({ companyId, project }: ProjectActionsProps) {
+function ProjectActions({
+  project,
+  onDeleted,
+  onUpdated,
+}: ProjectActionsProps) {
   const [renameOpen, setRenameOpen] = useState(false)
   const [deleteOpen, setDeleteOpen] = useState(false)
-  const queryClient = useQueryClient()
-
-  const renameMutation = useMutation({
-    mutationFn: (payload: { name: string }) =>
-      apiJson<{ project: ProjectRow }>(`/api/internal/projects/${project.id}`, {
-        method: "PATCH",
-        body: JSON.stringify(payload),
-      }),
-    onSuccess: () => {
-      setRenameOpen(false)
-      queryClient.invalidateQueries({ queryKey: ["projects", companyId] })
-      queryClient.invalidateQueries({ queryKey: ["dashboard-summary", companyId] })
-      queryClient.invalidateQueries({ queryKey: ["project", project.id] })
-    },
-  })
-  const deleteMutation = useMutation({
-    mutationFn: () =>
-      apiJson(`/api/internal/projects/${project.id}`, {
-        method: "DELETE",
-      }),
-    onSuccess: () => {
-      setDeleteOpen(false)
-      queryClient.invalidateQueries({ queryKey: ["projects", companyId] })
-      queryClient.invalidateQueries({ queryKey: ["dashboard-summary", companyId] })
-      queryClient.removeQueries({ queryKey: ["project", project.id] })
-    },
-  })
+  const [renameError, setRenameError] = useState<string | null>(null)
+  const [deleteError, setDeleteError] = useState<string | null>(null)
+  const [isRenamePending, startRenameTransition] = useTransition()
+  const [isDeletePending, startDeleteTransition] = useTransition()
 
   function renameAction(formData: FormData) {
-    renameMutation.mutate({ name: String(formData.get("name") ?? "") })
+    setRenameError(null)
+    startRenameTransition(async () => {
+      const result = await renameProjectAction(project.id, formData)
+
+      if (!result.ok) {
+        setRenameError(result.error)
+        return
+      }
+
+      onUpdated(result.project)
+      setRenameOpen(false)
+    })
+  }
+
+  function deleteAction() {
+    setDeleteError(null)
+    startDeleteTransition(async () => {
+      const result = await deleteProjectAction(project.id)
+
+      if (!result.ok) {
+        setDeleteError(result.error)
+        return
+      }
+
+      onDeleted(result.projectId)
+      setDeleteOpen(false)
+    })
   }
 
   return (
@@ -178,11 +194,11 @@ function ProjectActions({ companyId, project }: ProjectActionsProps) {
               <Label htmlFor={`project-name-${project.id}`}>Name</Label>
               <Input id={`project-name-${project.id}`} name="name" defaultValue={project.name} required />
             </div>
-            {renameMutation.error ? (
-              <p className="text-sm text-destructive">{renameMutation.error.message}</p>
+            {renameError ? (
+              <p className="text-sm text-destructive">{renameError}</p>
             ) : null}
-            <Button disabled={renameMutation.isPending} type="submit">
-              {renameMutation.isPending ? "Saving..." : "Save name"}
+            <Button disabled={isRenamePending} type="submit">
+              {isRenamePending ? "Saving..." : "Save name"}
             </Button>
           </form>
         </DialogContent>
@@ -196,14 +212,14 @@ function ProjectActions({ companyId, project }: ProjectActionsProps) {
               This removes the project and all of its tasks. This cannot be undone.
             </AlertDialogDescription>
           </AlertDialogHeader>
-          {deleteMutation.error ? (
-            <p className="text-sm text-destructive">{deleteMutation.error.message}</p>
+          {deleteError ? (
+            <p className="text-sm text-destructive">{deleteError}</p>
           ) : null}
           <AlertDialogFooter>
             <AlertDialogCancel>Cancel</AlertDialogCancel>
-            <form action={() => deleteMutation.mutate()}>
-              <AlertDialogAction disabled={deleteMutation.isPending} variant="destructive" type="submit">
-                {deleteMutation.isPending ? "Deleting..." : "Delete"}
+            <form action={deleteAction}>
+              <AlertDialogAction disabled={isDeletePending} variant="destructive" type="submit">
+                {isDeletePending ? "Deleting..." : "Delete"}
               </AlertDialogAction>
             </form>
           </AlertDialogFooter>

From 14c504abc6a979b2c0ec4569ca21715a277f8d09 Mon Sep 17 00:00:00 2001
From: Kaito <kaito@agentbridge.local>
Date: Thu, 14 May 2026 01:39:36 +0700
Subject: [PATCH 4/5] refactor(dashboard): migrate remaining internal fetches

---
 apps/web/app/dashboard/brief/actions.ts       | 482 +++++++++++
 apps/web/app/dashboard/brief/brief-client.tsx |  18 +-
 .../dashboard/projects/[projectId]/actions.ts | 767 ++++++++++++++++++
 .../[projectId]/create-task-dialog.tsx        |  32 +-
 .../[projectId]/project-agents-manager.tsx    |  12 +-
 .../[projectId]/project-detail-client.tsx     |  47 +-
 .../projects/[projectId]/task-kanban.tsx      |  93 +--
 apps/web/app/dashboard/settings/actions.ts    | 203 +++++
 .../settings/company-settings-form.tsx        |  36 +-
 apps/web/components/dashboard/actions.ts      |  45 +
 .../dashboard/change-password-dialog.tsx      |  11 +-
 .../dashboard/change-username-dialog.tsx      |  11 +-
 .../dashboard/create-company-dialog.tsx       |  11 +-
 13 files changed, 1627 insertions(+), 141 deletions(-)
 create mode 100644 apps/web/app/dashboard/brief/actions.ts
 create mode 100644 apps/web/app/dashboard/projects/[projectId]/actions.ts
 create mode 100644 apps/web/app/dashboard/settings/actions.ts
 create mode 100644 apps/web/components/dashboard/actions.ts

diff --git a/apps/web/app/dashboard/brief/actions.ts b/apps/web/app/dashboard/brief/actions.ts
new file mode 100644
index 0000000..482c06f
--- /dev/null
+++ b/apps/web/app/dashboard/brief/actions.ts
@@ -0,0 +1,482 @@
+"use server"
+
+import { Status } from "@/generated/prisma/enums"
+import {
+  cacheJson,
+  cacheKey,
+  cacheTtl,
+  getCompanyCacheVersion,
+  getProjectCacheVersion,
+} from "@/lib/api/cache"
+import { getSession } from "@/lib/auth"
+import { prisma } from "@/lib/prisma"
+
+const briefRanges = ["today", "7d"] as const
+const sectionLimit = 10
+
+type BriefRangeKey = (typeof briefRanges)[number]
+
+type ActionResult<T> = ({ ok: true } & T) | { ok: false; error: string }
+
+export async function getBriefAction({
+  companyId,
+  projectId,
+  range,
+}: {
+  companyId: string
+  projectId?: string | null
+  range: string
+}): Promise<ActionResult<{ brief: BriefData }>> {
+  const session = await getSession()
+
+  if (!session) {
+    return { ok: false, error: "Unauthorized" }
+  }
+
+  const rangeParam = range || "today"
+
+  if (!companyId) {
+    return { ok: false, error: "Company is required." }
+  }
+
+  if (!isBriefRange(rangeParam)) {
+    return { ok: false, error: "Range must be today or 7d." }
+  }
+
+  const company = await prisma.company.findFirst({
+    where: { id: companyId, userId: session.userId },
+    select: { id: true },
+  })
+
+  if (!company) {
+    return { ok: false, error: "Company not found." }
+  }
+
+  const projectFilter = projectId
+    ? await prisma.project.findFirst({
+        where: { id: projectId, companyId: company.id },
+        select: { id: true, name: true },
+      })
+    : null
+
+  if (projectId && !projectFilter) {
+    return { ok: false, error: "Project not found." }
+  }
+
+  const companyVersion = await getCompanyCacheVersion(company.id)
+  const projectVersion = projectId
+    ? await getProjectCacheVersion(projectId)
+    : "none"
+  const { value } = await cacheJson(
+    cacheKey([
+      "internal",
+      "dashboard-brief",
+      session.userId,
+      company.id,
+      projectId,
+      rangeParam,
+      companyVersion,
+      projectVersion,
+    ]),
+    cacheTtl.dashboardBrief,
+    async () => {
+      const now = new Date()
+      const since = getRangeStart(rangeParam, now)
+      const projectWhere = projectId
+    ? { id: projectId, companyId: company.id }
+    : { companyId: company.id }
+      const taskWhere = {
+    archivedAt: null,
+    project: projectWhere,
+  }
+      const projectTaskIds = projectId
+    ? await prisma.task.findMany({
+        where: {
+          projectId,
+          project: { companyId: company.id },
+        },
+        select: { id: true },
+      })
+    : []
+      const auditLogWhere = projectId
+    ? {
+        companyId: company.id,
+        createdAt: { gte: since },
+        OR: [
+          { targetType: "project", targetId: projectId },
+          {
+            targetType: "task",
+            targetId: { in: projectTaskIds.map((task) => task.id) },
+          },
+        ],
+      }
+    : {
+        companyId: company.id,
+        createdAt: { gte: since },
+      }
+      const taskSelect = {
+    id: true,
+    name: true,
+    status: true,
+    note: true,
+    summaryUpdatedAt: true,
+    blockingReason: true,
+    taskUpdatedAt: true,
+    taskUpdatedByName: true,
+    taskUpdatedByType: true,
+    assigned: {
+      select: {
+        id: true,
+        name: true,
+      },
+    },
+    project: {
+      select: {
+        id: true,
+        name: true,
+      },
+    },
+  }
+
+      const [
+    projects,
+    changedTasks,
+    blockedTasks,
+    completedTasks,
+    latestNotes,
+    auditLogs,
+      ] = await Promise.all([
+    prisma.project.findMany({
+      where: { companyId: company.id },
+      orderBy: { name: "asc" },
+      select: { id: true, name: true },
+    }),
+    prisma.task.findMany({
+      where: {
+        ...taskWhere,
+        taskUpdatedAt: { gte: since },
+      },
+      orderBy: { taskUpdatedAt: "desc" },
+      take: 50,
+      select: taskSelect,
+    }),
+    prisma.task.findMany({
+      where: {
+        ...taskWhere,
+        status: Status.blocked,
+      },
+      orderBy: { taskUpdatedAt: "desc" },
+      take: sectionLimit,
+      select: taskSelect,
+    }),
+    prisma.task.findMany({
+      where: {
+        ...taskWhere,
+        status: Status.done,
+        OR: [
+          { taskUpdatedAt: { gte: since } },
+          { summaryUpdatedAt: { gte: since } },
+        ],
+      },
+      orderBy: [{ summaryUpdatedAt: "desc" }, { taskUpdatedAt: "desc" }],
+      take: sectionLimit,
+      select: taskSelect,
+    }),
+    prisma.task.findMany({
+      where: {
+        ...taskWhere,
+        note: { not: null },
+        OR: [
+          { summaryUpdatedAt: { gte: since } },
+          { taskUpdatedAt: { gte: since } },
+        ],
+      },
+      orderBy: [{ summaryUpdatedAt: "desc" }, { taskUpdatedAt: "desc" }],
+      take: sectionLimit,
+      select: taskSelect,
+    }),
+    prisma.auditLog.findMany({
+      where: auditLogWhere,
+      orderBy: { createdAt: "desc" },
+      take: 100,
+      select: {
+        id: true,
+        action: true,
+        targetType: true,
+        targetId: true,
+        targetName: true,
+        details: true,
+        actorType: true,
+        actorName: true,
+        createdAt: true,
+      },
+    }),
+  ])
+
+      const readyForReview = latestNotes
+    .filter((task) => task.status === Status.done && task.note?.trim())
+    .slice(0, sectionLimit)
+    .map((task) => ({
+      ...serializeTask(task),
+      reason: getReviewReason(task.name, task.note ?? ""),
+    }))
+      const brief = {
+    range: {
+      key: rangeParam,
+      label: rangeParam === "today" ? "Last 24 hours" : "Last 7 days",
+      since: since.toISOString(),
+      until: now.toISOString(),
+    },
+    project: projectFilter,
+    projects,
+    counts: {
+      changed: changedTasks.length + auditLogs.length,
+      completed: completedTasks.length,
+      blockers: blockedTasks.length,
+      notes: latestNotes.length,
+      readyForReview: readyForReview.length,
+    },
+    recentActivity: [
+      ...auditLogs.map((log) => ({
+        id: log.id,
+        kind: log.action,
+        title: formatAction(log.action, log.targetName),
+        subtitle: log.details,
+        actorName: log.actorName ?? fallbackActorLabel(log.actorType),
+        actorType: log.actorType,
+        occurredAt: log.createdAt.toISOString(),
+        href: getAuditHref({
+          targetType: log.targetType,
+          targetId: log.targetId,
+          companyId: company.id,
+          projectId: projectId ?? null,
+        }),
+      })),
+      ...changedTasks.map((task) => ({
+        id: `task-${task.id}`,
+        kind: `task.${task.status}`,
+        title: task.name,
+        subtitle: `${task.project.name} • ${task.status}`,
+        actorName:
+          task.taskUpdatedByName ?? fallbackActorLabel(task.taskUpdatedByType),
+        actorType: task.taskUpdatedByType,
+        occurredAt: task.taskUpdatedAt.toISOString(),
+        href: taskHref(task.project.id, task.id, company.id),
+      })),
+    ]
+      .sort(
+        (left, right) =>
+          new Date(right.occurredAt).getTime() -
+          new Date(left.occurredAt).getTime()
+      )
+      .slice(0, sectionLimit),
+    completedTasks: completedTasks.map((task) =>
+      serializeTask(task, company.id)
+    ),
+    blockers: blockedTasks.map((task) => serializeTask(task, company.id)),
+    latestNotes: latestNotes.map((task) => serializeTask(task, company.id)),
+    readyForReview,
+    suggestedActions: getSuggestedActions({
+      blockers: blockedTasks.length,
+      readyForReview: readyForReview.length,
+      changed: changedTasks.length + auditLogs.length,
+      companyId: company.id,
+    }),
+  }
+
+      return { brief }
+    }
+  )
+
+
+
+  return { ok: true, brief: value.brief }
+}
+
+type BriefTask = {
+  id: string
+  name: string
+  status: string
+  summary: string | null
+  summaryUpdatedAt: string | null
+  blockingReason: string | null
+  taskUpdatedAt: string
+  assigned: { id: string; name: string }
+  project: { id: string; name: string }
+  href: string
+}
+
+type BriefActivity = {
+  id: string
+  kind: string
+  title: string
+  subtitle: string | null
+  actorName: string
+  actorType: string
+  occurredAt: string
+  href: string
+}
+
+type BriefData = {
+  range: { key: BriefRangeKey; label: string; since: string; until: string }
+  project: { id: string; name: string } | null
+  projects: Array<{ id: string; name: string }>
+  counts: {
+    changed: number
+    completed: number
+    blockers: number
+    notes: number
+    readyForReview: number
+  }
+  recentActivity: BriefActivity[]
+  completedTasks: BriefTask[]
+  blockers: BriefTask[]
+  latestNotes: BriefTask[]
+  readyForReview: Array<BriefTask & { reason: string }>
+  suggestedActions: Array<{
+    label: string
+    reason: string
+    href: string
+    priority: "high" | "medium" | "low"
+  }>
+}
+
+function isBriefRange(value: string): value is BriefRangeKey {
+  return briefRanges.includes(value as BriefRangeKey)
+}
+
+function getRangeStart(range: BriefRangeKey, now: Date) {
+  const start = new Date(now)
+  start.setDate(start.getDate() - (range === "today" ? 1 : 7))
+
+  return start
+}
+
+function serializeTask(
+  task: {
+    id: string
+    name: string
+    status: Status
+    note: string | null
+    summaryUpdatedAt: Date | null
+    blockingReason: string | null
+    taskUpdatedAt: Date
+    assigned: { id: string; name: string }
+    project: { id: string; name: string }
+  },
+  companyId?: string
+) {
+  return {
+    id: task.id,
+    name: task.name,
+    status: task.status,
+    summary: task.note,
+    summaryUpdatedAt: task.summaryUpdatedAt?.toISOString() ?? null,
+    blockingReason: task.blockingReason,
+    taskUpdatedAt: task.taskUpdatedAt.toISOString(),
+    assigned: task.assigned,
+    project: task.project,
+    href: taskHref(task.project.id, task.id, companyId),
+  }
+}
+
+function taskHref(projectId: string, taskId: string, companyId?: string) {
+  const search = companyId ? `?company=${companyId}` : ""
+
+  return `/dashboard/projects/${projectId}${search}#task-${taskId}`
+}
+
+function getAuditHref({
+  companyId,
+  targetId,
+  targetType,
+  projectId,
+}: {
+  companyId: string
+  projectId: string | null
+  targetId: string | null
+  targetType: string
+}) {
+  if (targetType === "project" && targetId) {
+    return `/dashboard/projects/${targetId}?company=${companyId}`
+  }
+
+  if (targetType === "task" && targetId && projectId) {
+    return taskHref(projectId, targetId, companyId)
+  }
+
+  return `/dashboard/audit-logs?company=${companyId}`
+}
+
+function formatAction(action: string, targetName: string | null) {
+  const label = action
+    .split(".")
+    .map((part) => part.charAt(0).toUpperCase() + part.slice(1))
+    .join(" ")
+
+  return targetName ? `${label}: ${targetName}` : label
+}
+
+function fallbackActorLabel(type: string) {
+  if (type === "agent") return "Agent"
+  if (type === "user") return "User"
+
+  return "System"
+}
+
+function getReviewReason(name: string, note: string) {
+  const text = `${name} ${note}`
+
+  if (/merge/i.test(text)) return "Mentions merge"
+  if (/review|qa/i.test(text)) return "Mentions review"
+
+  return "Done with summary"
+}
+
+function getSuggestedActions({
+  blockers,
+  changed,
+  companyId,
+  readyForReview,
+}: {
+  blockers: number
+  changed: number
+  companyId: string
+  readyForReview: number
+}) {
+  const actions: Array<{
+    label: string
+    reason: string
+    href: string
+    priority: "high" | "medium" | "low"
+  }> = []
+
+  if (blockers) {
+    actions.push({
+      label: "Resolve or reassign blockers",
+      reason: `${blockers} blocked task${blockers === 1 ? "" : "s"} need attention.`,
+      href: `/dashboard/projects?company=${companyId}`,
+      priority: "high",
+    })
+  }
+
+  if (readyForReview) {
+    actions.push({
+      label: "Review done summaries",
+      reason: `${readyForReview} completed task${readyForReview === 1 ? "" : "s"} look ready for review.`,
+      href: `/dashboard/notes?company=${companyId}`,
+      priority: "medium",
+    })
+  }
+
+  if (!changed) {
+    actions.push({
+      label: "Check active project boards",
+      reason: "No tracked changes in this range.",
+      href: `/dashboard/projects?company=${companyId}`,
+      priority: "low",
+    })
+  }
+
+  return actions.slice(0, 5)
+}
diff --git a/apps/web/app/dashboard/brief/brief-client.tsx b/apps/web/app/dashboard/brief/brief-client.tsx
index f9f583b..d18a75b 100644
--- a/apps/web/app/dashboard/brief/brief-client.tsx
+++ b/apps/web/app/dashboard/brief/brief-client.tsx
@@ -27,7 +27,7 @@ import {
   SelectTrigger,
   SelectValue,
 } from "@/components/ui/select"
-import { apiJson } from "@/lib/api/client"
+import { getBriefAction } from "./actions"
 
 type BriefRange = "today" | "7d"
 type BriefTask = {
@@ -81,16 +81,18 @@ export function BriefClient({ companyId }: { companyId: string }) {
   const [projectId, setProjectId] = useState("all")
   const query = useQuery({
     queryKey: ["dashboard-brief", companyId, range, projectId],
-    queryFn: () => {
-      const params = new URLSearchParams({ companyId, range })
+    queryFn: async () => {
+      const result = await getBriefAction({
+        companyId,
+        range,
+        projectId: projectId === "all" ? null : projectId,
+      })
 
-      if (projectId !== "all") {
-        params.set("projectId", projectId)
+      if (!result.ok) {
+        throw new Error(result.error)
       }
 
-      return apiJson<{ brief: BriefData }>(
-        `/api/internal/dashboard/brief?${params}`
-      )
+      return { brief: result.brief as BriefData }
     },
   })
   const brief = query.data?.brief
diff --git a/apps/web/app/dashboard/projects/[projectId]/actions.ts b/apps/web/app/dashboard/projects/[projectId]/actions.ts
new file mode 100644
index 0000000..6d65cf7
--- /dev/null
+++ b/apps/web/app/dashboard/projects/[projectId]/actions.ts
@@ -0,0 +1,767 @@
+"use server"
+
+import { revalidatePath } from "next/cache"
+
+import { Status } from "@/generated/prisma/enums"
+import { createAuditLog, formatChangedFields } from "@/lib/api/audit-log"
+import { invalidateProjectAndCompanyCache } from "@/lib/api/cache"
+import {
+  projectAgentSelect,
+  serializeProjectAgents,
+} from "@/lib/api/project-agents"
+import {
+  hasDependencyCycle,
+  serializeTaskDependencies,
+} from "@/lib/api/task-dependencies"
+import { userTaskUpdater } from "@/lib/api/task-updater"
+import { getSession } from "@/lib/auth"
+import { prisma } from "@/lib/prisma"
+
+import type { ProjectDetailData, ProjectTaskDetail } from "./types"
+
+const statuses = Object.values(Status)
+
+type ActionResult<T> = ({ ok: true } & T) | { ok: false; error: string }
+
+type TaskMutationPayload = {
+  assignedAgentId: string
+  name: string
+  job: string
+  status: string
+  note: string
+  readByAgentIds: string[]
+  blockingReason: string
+  dependencyIds?: string[]
+}
+
+type CreateTaskPayload = TaskMutationPayload & {
+  projectId: string
+}
+
+export async function getProjectDetailAction(
+  projectId: string
+): Promise<ActionResult<{ project: ProjectDetailData }>> {
+  const session = await getSession()
+
+  if (!session) {
+    return { ok: false, error: "Unauthorized" }
+  }
+
+  const project = (await loadProjectDetail(projectId, session.userId)) as ProjectDetailData | null
+
+  if (!project) {
+    return { ok: false, error: "Project not found." }
+  }
+
+  return { ok: true, project }
+}
+
+export async function getTaskDetailAction(
+  taskId: string
+): Promise<ActionResult<{ task: ProjectTaskDetail }>> {
+  const session = await getSession()
+
+  if (!session) {
+    return { ok: false, error: "Unauthorized" }
+  }
+
+  const task = await loadTaskDetail(taskId, session.userId)
+
+  if (!task) {
+    return { ok: false, error: "Task not found." }
+  }
+
+  return { ok: true, task }
+}
+
+export async function updateProjectAgentsAction(
+  projectId: string,
+  agentIds: string[]
+): Promise<ActionResult<{ agentIds: string[] }>> {
+  const session = await getSession()
+
+  if (!session) {
+    return { ok: false, error: "Unauthorized" }
+  }
+
+  const project = await prisma.project.findFirst({
+    where: { id: projectId, company: { userId: session.userId } },
+    select: {
+      id: true,
+      name: true,
+      companyId: true,
+      agents: { select: { agentId: true } },
+      company: {
+        select: {
+          agents: {
+            where: { id: { in: agentIds } },
+            select: { id: true },
+          },
+        },
+      },
+    },
+  })
+
+  if (!project) {
+    return { ok: false, error: "Project not found." }
+  }
+
+  const uniqueAgentIds = Array.from(new Set(agentIds.filter(Boolean)))
+
+  if (project.company.agents.length !== uniqueAgentIds.length) {
+    return { ok: false, error: "Agent not found." }
+  }
+
+  await prisma.$transaction(async (tx: typeof prisma) => {
+    await tx.projectAgent.deleteMany({ where: { projectId: project.id } })
+
+    if (uniqueAgentIds.length) {
+      await tx.projectAgent.createMany({
+        data: uniqueAgentIds.map((agentId) => ({
+          projectId: project.id,
+          agentId,
+        })),
+      })
+    }
+  })
+
+  await createAuditLog({
+    companyId: project.companyId,
+    action: "project.agents_updated",
+    target: { type: "project", id: project.id, name: project.name },
+    actor: { type: "user", id: session.userId, name: session.username },
+    details: `Project agents changed from ${project.agents.length} to ${uniqueAgentIds.length}.`,
+  })
+  await invalidateAndRevalidate(project.companyId, project.id)
+
+  return { ok: true, agentIds: uniqueAgentIds }
+}
+
+export async function createTaskAction(
+  payload: CreateTaskPayload
+): Promise<ActionResult<{ task: ProjectTaskDetail }>> {
+  const session = await getSession()
+
+  if (!session) {
+    return { ok: false, error: "Unauthorized" }
+  }
+
+  const projectId = payload.projectId
+  const assignedAgentId = payload.assignedAgentId
+  const name = payload.name.trim()
+  const job = payload.job.trim()
+  const status = payload.status || "todo"
+  const note = payload.note.trim()
+  const blockingReason = payload.blockingReason.trim()
+  const readByAgentIds = uniqueStrings(payload.readByAgentIds)
+  const dependencyIds = uniqueStrings(payload.dependencyIds ?? [])
+
+  if (!projectId || !assignedAgentId || !name || !job) {
+    return { ok: false, error: "Project, agent, name, and job are required." }
+  }
+
+  if (!statuses.includes(status as Status)) {
+    return { ok: false, error: "Invalid task status." }
+  }
+
+  const project = await prisma.project.findFirst({
+    where: { id: projectId, company: { userId: session.userId } },
+    select: {
+      id: true,
+      companyId: true,
+      tasks: {
+        where: { id: { in: dependencyIds }, archivedAt: null },
+        select: { id: true },
+      },
+      company: {
+        select: {
+          agents: {
+            where: { id: { in: readByAgentIds } },
+            select: { id: true },
+          },
+        },
+      },
+      agents: {
+        where: { agentId: assignedAgentId },
+        select: { agentId: true },
+      },
+    },
+  })
+
+  if (!project) {
+    return { ok: false, error: "Project or agent not found." }
+  }
+
+  if (!project.agents.length) {
+    return { ok: false, error: "Agent is not assigned to this project." }
+  }
+
+  if (project.company.agents.length !== readByAgentIds.length) {
+    return { ok: false, error: "Read marker agent not found." }
+  }
+
+  if (project.tasks.length !== dependencyIds.length) {
+    return { ok: false, error: "Dependency task not found." }
+  }
+
+  const task = await prisma.task.create({
+    data: {
+      projectId,
+      assignedAgentId,
+      name,
+      job,
+      status: status as Status,
+      note: note || null,
+      summaryUpdatedAt: note ? new Date() : null,
+      blockingReason: blockingReason || null,
+      ...userTaskUpdater({ id: session.userId, name: session.username }),
+      readMarkers: {
+        create: readByAgentIds.map((agentId) => ({
+          agentId,
+          status: status as Status,
+        })),
+      },
+      blockedByDependencies: {
+        create: dependencyIds.map((dependencyTaskId) => ({ dependencyTaskId })),
+      },
+    },
+    include: taskDetailInclude,
+  })
+
+  await createAuditLog({
+    companyId: project.companyId,
+    action: "task.created",
+    target: { type: "task", id: task.id, name: task.name },
+    actor: { type: "user", id: session.userId, name: session.username },
+    details: `Created as ${task.status} and assigned to ${task.assigned.name}${dependencyIds.length ? ` with ${dependencyIds.length} dependencies` : ""}.`,
+  })
+  await invalidateAndRevalidate(project.companyId, project.id)
+
+  return { ok: true, task: serializeTaskDependencies(task) as unknown as ProjectTaskDetail }
+}
+
+export async function updateTaskStatusAction(
+  taskId: string,
+  status: Status
+): Promise<ActionResult<{ task: ProjectTaskDetail }>> {
+  return updateTaskAction(taskId, { status } as TaskMutationPayload)
+}
+
+export async function updateTaskAction(
+  taskId: string,
+  payload: Partial<TaskMutationPayload>
+): Promise<ActionResult<{ task: ProjectTaskDetail }>> {
+  const session = await getSession()
+
+  if (!session) {
+    return { ok: false, error: "Unauthorized" }
+  }
+
+  const assignedAgentId = payload.assignedAgentId
+  const name = payload.name?.trim()
+  const job = payload.job?.trim()
+  const status = payload.status
+  const note = payload.note?.trim()
+  const hasNote = payload.note !== undefined
+  const hasReadByAgentIds = payload.readByAgentIds !== undefined
+  const readByAgentIds = uniqueStrings(payload.readByAgentIds ?? [])
+  const hasDependencyIds = payload.dependencyIds !== undefined
+  const dependencyIds = uniqueStrings(payload.dependencyIds ?? [])
+  const blockingReason = payload.blockingReason?.trim()
+
+  if (status && !statuses.includes(status as Status)) {
+    return { ok: false, error: "Invalid task status." }
+  }
+
+  if (name === "" || job === "") {
+    return { ok: false, error: "Task name and job are required." }
+  }
+
+  const task = await prisma.task.findFirst({
+    where: {
+      id: taskId,
+      project: { company: { userId: session.userId } },
+      archivedAt: null,
+    },
+    select: {
+      id: true,
+      name: true,
+      job: true,
+      note: true,
+      status: true,
+      blockingReason: true,
+      assignedAgentId: true,
+      projectId: true,
+      project: { select: { companyId: true } },
+      assigned: { select: { name: true } },
+    },
+  })
+
+  if (!task) {
+    return { ok: false, error: "Task not found." }
+  }
+
+  if (assignedAgentId && assignedAgentId !== task.assignedAgentId) {
+    const projectAgent = await prisma.projectAgent.findFirst({
+      where: {
+        projectId: task.projectId,
+        agentId: assignedAgentId,
+        project: { company: { userId: session.userId } },
+      },
+      select: { agentId: true },
+    })
+
+    if (!projectAgent) {
+      return { ok: false, error: "Agent is not assigned to this project." }
+    }
+  }
+
+  if (hasDependencyIds && dependencyIds.includes(task.id)) {
+    return { ok: false, error: "Task cannot depend on itself." }
+  }
+
+  if (hasDependencyIds && dependencyIds.length) {
+    const dependencyTasks = await prisma.task.findMany({
+      where: {
+        id: { in: dependencyIds },
+        projectId: task.projectId,
+        archivedAt: null,
+        project: { company: { userId: session.userId } },
+      },
+      select: { id: true },
+    })
+
+    if (dependencyTasks.length !== dependencyIds.length) {
+      return { ok: false, error: "Dependency task not found." }
+    }
+
+    const projectDependencies = await prisma.taskDependency.findMany({
+      where: { blockedTask: { projectId: task.projectId, archivedAt: null } },
+      select: { blockedTaskId: true, dependencyTaskId: true },
+    })
+
+    if (hasDependencyCycle(projectDependencies, task.id, dependencyIds)) {
+      return { ok: false, error: "Task dependencies cannot create a cycle." }
+    }
+  }
+
+  if (hasReadByAgentIds && readByAgentIds.length) {
+    const readAgents = await prisma.agent.findMany({
+      where: { id: { in: readByAgentIds }, company: { userId: session.userId } },
+      select: { id: true },
+    })
+
+    if (readAgents.length !== readByAgentIds.length) {
+      return { ok: false, error: "Read marker agent not found." }
+    }
+  }
+
+  const nextStatus = (status as Status | undefined) ?? task.status
+  const statusChanged = nextStatus !== task.status
+  const noteChanged = hasNote && (note || null) !== task.note
+  const shouldClearNextStatusReads =
+    !hasReadByAgentIds && (statusChanged || noteChanged)
+
+  const updatedTask = await prisma.$transaction(async (tx: typeof prisma) => {
+    if (hasReadByAgentIds) {
+      await tx.taskReadMarker.deleteMany({
+        where: {
+          taskId: task.id,
+          status: nextStatus,
+          agentId: { notIn: readByAgentIds },
+        },
+      })
+
+      if (readByAgentIds.length) {
+        await Promise.all(
+          readByAgentIds.map((agentId) =>
+            tx.taskReadMarker.upsert({
+              where: {
+                taskId_agentId_status: {
+                  taskId: task.id,
+                  agentId,
+                  status: nextStatus,
+                },
+              },
+              create: { taskId: task.id, agentId, status: nextStatus },
+              update: { readAt: new Date() },
+            })
+          )
+        )
+      }
+    }
+
+    if (shouldClearNextStatusReads) {
+      await tx.taskReadMarker.deleteMany({
+        where: { taskId: task.id, status: nextStatus },
+      })
+    }
+
+    if (hasDependencyIds) {
+      await tx.taskDependency.deleteMany({ where: { blockedTaskId: task.id } })
+
+      if (dependencyIds.length) {
+        await tx.taskDependency.createMany({
+          data: dependencyIds.map((dependencyTaskId) => ({
+            blockedTaskId: task.id,
+            dependencyTaskId,
+          })),
+        })
+      }
+    }
+
+    return tx.task.update({
+      where: { id: task.id },
+      data: {
+        ...(assignedAgentId ? { assignedAgentId } : {}),
+        ...(name ? { name } : {}),
+        ...(job ? { job } : {}),
+        ...(status ? { status: status as Status } : {}),
+        ...(noteChanged
+          ? { note: note || null, summaryUpdatedAt: note ? new Date() : null }
+          : {}),
+        ...(blockingReason !== undefined
+          ? { blockingReason: blockingReason || null }
+          : {}),
+        ...userTaskUpdater({ id: session.userId, name: session.username }),
+      },
+      include: taskDetailInclude,
+    })
+  })
+
+  await createAuditLog({
+    companyId: task.project.companyId,
+    action:
+      status && status !== task.status ? "task.status_changed" : "task.updated",
+    target: { type: "task", id: task.id, name: updatedTask.name },
+    actor: { type: "user", id: session.userId, name: session.username },
+    details: formatChangedFields([
+      name && name !== task.name && "name",
+      job && job !== task.job && "job",
+      status && status !== task.status && `status (${task.status} → ${status})`,
+      assignedAgentId && assignedAgentId !== task.assignedAgentId && "assignee",
+      noteChanged && "result note",
+      hasReadByAgentIds && "read markers",
+      hasDependencyIds && "dependencies",
+      blockingReason !== undefined &&
+        (blockingReason || null) !== task.blockingReason &&
+        "blocking reason",
+    ]),
+  })
+  await invalidateAndRevalidate(task.project.companyId, task.projectId)
+
+  return {
+    ok: true,
+    task: serializeTaskDependencies(updatedTask) as unknown as ProjectTaskDetail,
+  }
+}
+
+export async function archiveDoneTasksAction(
+  projectId: string
+): Promise<ActionResult<{ archivedCount: number }>> {
+  const session = await getSession()
+
+  if (!session) {
+    return { ok: false, error: "Unauthorized" }
+  }
+
+  const project = await prisma.project.findFirst({
+    where: { id: projectId, company: { userId: session.userId } },
+    select: { id: true, name: true, companyId: true },
+  })
+
+  if (!project) {
+    return { ok: false, error: "Project not found." }
+  }
+
+  const result = await prisma.task.updateMany({
+    where: { projectId: project.id, status: Status.done, archivedAt: null },
+    data: { archivedAt: new Date() },
+  })
+
+  await createAuditLog({
+    companyId: project.companyId,
+    action: "project.tasks.archived",
+    target: { type: "project", id: project.id, name: project.name },
+    actor: { type: "user", id: session.userId, name: session.username },
+    details: `Archived ${result.count} done task${result.count === 1 ? "" : "s"}.`,
+  })
+  await invalidateAndRevalidate(project.companyId, project.id)
+
+  return { ok: true, archivedCount: result.count }
+}
+
+export async function deleteTaskAction(
+  taskId: string
+): Promise<ActionResult<{ taskId: string }>> {
+  const session = await getSession()
+
+  if (!session) {
+    return { ok: false, error: "Unauthorized" }
+  }
+
+  const task = await prisma.task.findFirst({
+    where: {
+      id: taskId,
+      project: { company: { userId: session.userId } },
+      archivedAt: null,
+    },
+    select: {
+      id: true,
+      name: true,
+      projectId: true,
+      project: { select: { companyId: true } },
+    },
+  })
+
+  if (!task) {
+    return { ok: false, error: "Task not found." }
+  }
+
+  await prisma.task.delete({ where: { id: task.id } })
+
+  await createAuditLog({
+    companyId: task.project.companyId,
+    action: "task.deleted",
+    target: { type: "task", id: task.id, name: task.name },
+    actor: { type: "user", id: session.userId, name: session.username },
+    details: "Task deleted.",
+  })
+  await invalidateAndRevalidate(task.project.companyId, task.projectId)
+
+  return { ok: true, taskId: task.id }
+}
+
+async function loadProjectDetail(projectId: string, userId: string) {
+  const project = await prisma.project.findFirst({
+    where: { id: projectId, company: { userId } },
+    select: {
+      id: true,
+      companyId: true,
+      name: true,
+      description: true,
+      company: {
+        select: {
+          id: true,
+          name: true,
+          agents: {
+            orderBy: { name: "asc" },
+            select: {
+              id: true,
+              AgentId: true,
+              name: true,
+              position: true,
+            },
+          },
+        },
+      },
+      agents: {
+        orderBy: { agent: { name: "asc" } },
+        select: projectAgentSelect,
+      },
+    },
+  })
+
+  if (!project) return null
+
+  const tasks = await loadProjectTaskCards(project.id)
+
+  return {
+    ...project,
+    projectAgents: serializeProjectAgents(project.agents),
+    agents: undefined,
+    tasks,
+  }
+}
+
+async function loadProjectTaskCards(projectId: string) {
+  const tasks = await prisma.task.findMany({
+    where: { projectId, archivedAt: null },
+    orderBy: { name: "asc" },
+    select: {
+      id: true,
+      name: true,
+      note: true,
+      summaryUpdatedAt: true,
+      taskUpdatedAt: true,
+      taskUpdatedById: true,
+      taskUpdatedByName: true,
+      taskUpdatedByType: true,
+      status: true,
+      blockingReason: true,
+      readMarkers: {
+        where: { status: Status.done, agent: { AgentId: "main" } },
+        select: { readAt: true },
+      },
+      assigned: { select: { id: true, name: true, position: true } },
+    },
+  })
+  const taskIds = tasks.map((task) => task.id)
+  const [readCounts, dependencyEdges] = taskIds.length
+    ? await Promise.all([
+        prisma.taskReadMarker.groupBy({
+          by: ["taskId", "status"],
+          where: { taskId: { in: taskIds } },
+          _count: { _all: true },
+        }),
+        prisma.taskDependency.findMany({
+          where: {
+            OR: [
+              { blockedTaskId: { in: taskIds } },
+              { dependencyTaskId: { in: taskIds } },
+            ],
+          },
+          orderBy: { createdAt: "asc" },
+          select: {
+            blockedTaskId: true,
+            dependencyTaskId: true,
+            blockedTask: {
+              select: { id: true, name: true, status: true, archivedAt: true },
+            },
+            dependencyTask: {
+              select: { id: true, name: true, status: true, archivedAt: true },
+            },
+          },
+        }),
+      ])
+    : [[], []]
+
+  const readCountByTaskStatus = new Map<string, number>()
+  for (const readCount of readCounts) {
+    readCountByTaskStatus.set(
+      `${readCount.taskId}:${readCount.status}`,
+      readCount._count._all
+    )
+  }
+
+  const dependenciesByTask = new Map<string, Array<{ dependencyTask: TaskDependencyRow }>>()
+  const unblocksByTask = new Map<string, Array<{ blockedTask: TaskDependencyRow }>>()
+
+  for (const edge of dependencyEdges) {
+    if (edge.blockedTask.archivedAt || edge.dependencyTask.archivedAt) {
+      continue
+    }
+
+    const blockedByDependencies = dependenciesByTask.get(edge.blockedTaskId) ?? []
+    blockedByDependencies.push({ dependencyTask: edge.dependencyTask })
+    dependenciesByTask.set(edge.blockedTaskId, blockedByDependencies)
+
+    const unblocksDependencies = unblocksByTask.get(edge.dependencyTaskId) ?? []
+    unblocksDependencies.push({ blockedTask: edge.blockedTask })
+    unblocksByTask.set(edge.dependencyTaskId, unblocksDependencies)
+  }
+
+  return tasks.map((task) => {
+    const { note, readMarkers, ...taskCard } = task
+    const dependencies =
+      dependenciesByTask.get(task.id)?.map((dependency) => dependency.dependencyTask) ?? []
+    const unblocks =
+      unblocksByTask.get(task.id)?.map((dependency) => dependency.blockedTask) ?? []
+    const doneReviewReadAt = readMarkers[0]?.readAt
+    const notePreview = compactText(note)
+    const summaryUpdatedAt = getTaskSummaryUpdatedAt({
+      note,
+      summaryUpdatedAt: task.summaryUpdatedAt,
+      taskUpdatedAt: task.taskUpdatedAt,
+    })
+
+    return {
+      ...taskCard,
+      notePreview,
+      summaryUpdatedAt,
+      blockingReason: null,
+      readCount: readCountByTaskStatus.get(`${task.id}:${task.status}`) ?? 0,
+      blockingReasonPreview: compactText(task.blockingReason),
+      dependencies: dependencies.slice(0, 3),
+      dependencyIds: dependencies.map((dependency) => dependency.id),
+      dependencyCount: dependencies.length,
+      unblocks: unblocks.slice(0, 3),
+      unblocksCount: unblocks.length,
+      isDependencyReady:
+        dependencies.length > 0 &&
+        dependencies.every((dependency) => dependency.status === Status.done),
+      isUnreadDoneSummary:
+        task.status === Status.done &&
+        Boolean(summaryUpdatedAt) &&
+        (!doneReviewReadAt ||
+          new Date(doneReviewReadAt) < new Date(summaryUpdatedAt ?? 0)),
+    }
+  })
+}
+
+async function loadTaskDetail(taskId: string, userId: string) {
+  const task = await prisma.task.findFirst({
+    where: {
+      id: taskId,
+      project: { company: { userId } },
+      archivedAt: null,
+    },
+    include: taskDetailInclude,
+  })
+
+  return task ? (serializeTaskDependencies(task) as unknown as ProjectTaskDetail) : null
+}
+
+const taskDetailInclude = {
+  assigned: { select: { id: true, name: true, position: true } },
+  readMarkers: {
+    select: {
+      agentId: true,
+      status: true,
+      readAt: true,
+      agent: { select: { id: true, AgentId: true, name: true } },
+    },
+    orderBy: { readAt: "desc" },
+  },
+  blockedByDependencies: {
+    select: {
+      dependencyTask: { select: { id: true, name: true, status: true } },
+    },
+    orderBy: { createdAt: "asc" },
+  },
+  unblocksDependencies: {
+    select: {
+      blockedTask: { select: { id: true, name: true, status: true } },
+    },
+    orderBy: { createdAt: "asc" },
+  },
+} as const
+
+type TaskDependencyRow = {
+  id: string
+  name: string
+  status: Status
+}
+
+function compactText(value: string | null) {
+  if (!value) return null
+
+  const compacted = value.replace(/\s+/g, " ").trim()
+
+  return compacted.length > 180 ? `${compacted.slice(0, 177)}...` : compacted
+}
+
+function getTaskSummaryUpdatedAt({
+  note,
+  summaryUpdatedAt,
+  taskUpdatedAt,
+}: {
+  note: string | null
+  summaryUpdatedAt: Date | null
+  taskUpdatedAt: Date
+}) {
+  if (!note) return null
+
+  return summaryUpdatedAt ?? taskUpdatedAt
+}
+
+function uniqueStrings(values: string[]) {
+  return Array.from(new Set(values.filter(Boolean)))
+}
+
+async function invalidateAndRevalidate(companyId: string, projectId: string) {
+  await invalidateProjectAndCompanyCache({ companyId, projectId })
+  revalidatePath("/dashboard")
+  revalidatePath("/dashboard/projects")
+  revalidatePath(`/dashboard/projects/${projectId}`)
+}
diff --git a/apps/web/app/dashboard/projects/[projectId]/create-task-dialog.tsx b/apps/web/app/dashboard/projects/[projectId]/create-task-dialog.tsx
index bc50998..96e7501 100644
--- a/apps/web/app/dashboard/projects/[projectId]/create-task-dialog.tsx
+++ b/apps/web/app/dashboard/projects/[projectId]/create-task-dialog.tsx
@@ -3,8 +3,6 @@
 import { useState } from "react"
 import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query"
 
-import { Status } from "@/generated/prisma/enums"
-
 import { Button } from "@/components/ui/button"
 import {
   Dialog,
@@ -24,13 +22,7 @@ import {
   SelectValue,
 } from "@/components/ui/select"
 import { Textarea } from "@/components/ui/textarea"
-import { apiJson } from "@/lib/api/client"
-
-type TaskOption = {
-  id: string
-  name: string
-  status: Status
-}
+import { createTaskAction, getProjectDetailAction } from "./actions"
 
 type AgentOption = {
   id: string
@@ -53,10 +45,15 @@ export function CreateTaskDialog({
   const queryClient = useQueryClient()
   const dependencyOptionsQuery = useQuery({
     queryKey: ["project-task-dependency-options", projectId],
-    queryFn: () =>
-      apiJson<{ project: { tasks: TaskOption[] } }>(
-        `/api/internal/projects/${projectId}`
-      ),
+    queryFn: async () => {
+      const result = await getProjectDetailAction(projectId)
+
+      if (!result.ok) {
+        throw new Error(result.error)
+      }
+
+      return { project: { tasks: result.project.tasks } }
+    },
     enabled: open,
   })
   const dependencyOptions = dependencyOptionsQuery.data?.project.tasks ?? []
@@ -72,9 +69,12 @@ export function CreateTaskDialog({
       blockingReason: string
       dependencyIds: string[]
     }) =>
-      apiJson("/api/internal/tasks", {
-        method: "POST",
-        body: JSON.stringify(payload),
+      createTaskAction(payload).then((result) => {
+        if (!result.ok) {
+          throw new Error(result.error)
+        }
+
+        return result
       }),
     onSuccess: () => {
       setOpen(false)
diff --git a/apps/web/app/dashboard/projects/[projectId]/project-agents-manager.tsx b/apps/web/app/dashboard/projects/[projectId]/project-agents-manager.tsx
index c71d8fd..f31cc66 100644
--- a/apps/web/app/dashboard/projects/[projectId]/project-agents-manager.tsx
+++ b/apps/web/app/dashboard/projects/[projectId]/project-agents-manager.tsx
@@ -15,8 +15,7 @@ import {
   DialogTrigger,
 } from "@/components/ui/dialog"
 import { Label } from "@/components/ui/label"
-import { apiJson } from "@/lib/api/client"
-
+import { updateProjectAgentsAction } from "./actions"
 import type { ProjectAgent } from "./types"
 
 type ProjectAgentsManagerProps = {
@@ -39,9 +38,12 @@ export function ProjectAgentsManager({
   )
   const mutation = useMutation({
     mutationFn: (agentIds: string[]) =>
-      apiJson(`/api/internal/projects/${projectId}/agents`, {
-        method: "PUT",
-        body: JSON.stringify({ agentIds }),
+      updateProjectAgentsAction(projectId, agentIds).then((result) => {
+        if (!result.ok) {
+          throw new Error(result.error)
+        }
+
+        return result
       }),
     onSuccess: () => {
       setOpen(false)
diff --git a/apps/web/app/dashboard/projects/[projectId]/project-detail-client.tsx b/apps/web/app/dashboard/projects/[projectId]/project-detail-client.tsx
index dcc22c4..1df234f 100644
--- a/apps/web/app/dashboard/projects/[projectId]/project-detail-client.tsx
+++ b/apps/web/app/dashboard/projects/[projectId]/project-detail-client.tsx
@@ -15,53 +15,30 @@ import { CreateTaskDialog } from "./create-task-dialog"
 import { ProjectAgentsManager } from "./project-agents-manager"
 import { ProjectOverview, ProjectOverviewSkeleton } from "./project-overview"
 import { TaskKanban, TaskKanbanSkeleton } from "./task-kanban"
-import type { ProjectDetailData, RequestDiagnostics } from "./types"
+import { getProjectDetailAction } from "./actions"
+import type { ProjectDetailData } from "./types"
 
 type ProjectDetailClientProps = {
   initialProject: ProjectDetailData
   projectId: string
 }
 
-type TimedApiJsonResult<T> = T & {
-  diagnostics?: RequestDiagnostics
-}
-
-async function timedApiJson<T>(
-  input: RequestInfo | URL,
-  label: string
-): Promise<TimedApiJsonResult<T>> {
-  const startedAt = performance.now()
-  const response = await fetch(input, {
-    headers: { "Content-Type": "application/json" },
-  })
-  const data = (await response.json().catch(() => null)) as T & {
-    error?: string
-  }
-  const diagnostics: RequestDiagnostics = {
-    label,
-    clientDurationMs: Math.round(performance.now() - startedAt),
-    serverTiming: response.headers.get("Server-Timing"),
-  }
-
-  if (!response.ok) {
-    throw new Error(data?.error ?? "Request failed")
-  }
-
-  return { ...data, diagnostics }
-}
-
 export function ProjectDetailClient({ initialProject, projectId }: ProjectDetailClientProps) {
   const projectQuery = useQuery({
     queryKey: ["project", projectId],
-    queryFn: () =>
-      timedApiJson<{ project: ProjectDetailData }>(
-        `/api/internal/projects/${projectId}`,
-        "project board"
-      ),
+    queryFn: async () => {
+      const result = await getProjectDetailAction(projectId)
+
+      if (!result.ok) {
+        throw new Error(result.error)
+      }
+
+      return { project: result.project }
+    },
     initialData: { project: initialProject },
   })
   const project = projectQuery.data.project
-  const projectDiagnostics = projectQuery.data.diagnostics
+  const projectDiagnostics = undefined
   const agents = project.projectAgents
   const companyAgents = project.company.agents
   const isLoadingProjectData = projectQuery.isFetching && project.tasks.length === 0
diff --git a/apps/web/app/dashboard/projects/[projectId]/task-kanban.tsx b/apps/web/app/dashboard/projects/[projectId]/task-kanban.tsx
index 38ee83f..17ac6e0 100644
--- a/apps/web/app/dashboard/projects/[projectId]/task-kanban.tsx
+++ b/apps/web/app/dashboard/projects/[projectId]/task-kanban.tsx
@@ -43,9 +43,16 @@ import {
   SelectValue,
 } from "@/components/ui/select"
 import { Textarea } from "@/components/ui/textarea"
-import { apiJson } from "@/lib/api/client"
 import { cn } from "@/lib/utils"
 
+import {
+  archiveDoneTasksAction,
+  deleteTaskAction,
+  getProjectDetailAction,
+  getTaskDetailAction,
+  updateTaskAction,
+  updateTaskStatusAction,
+} from "./actions"
 import type { ProjectTask, ProjectTaskDetail, RequestDiagnostics } from "./types"
 
 type TaskCard = ProjectTask
@@ -79,30 +86,39 @@ type TaskKanbanProps = {
   tasks: TaskCard[]
 }
 
-async function timedApiJson<T>(
-  input: RequestInfo | URL,
-  label: string
-): Promise<T & { diagnostics?: RequestDiagnostics }> {
-  const startedAt = performance.now()
-  const response = await fetch(input, {
-    headers: { "Content-Type": "application/json" },
-  })
-  const data = (await response.json().catch(() => null)) as T & {
-    error?: string
+async function runProjectDetailAction(projectId: string): Promise<ProjectQueryData> {
+  const result = await getProjectDetailAction(projectId)
+
+  if (!result.ok) {
+    throw new Error(result.error)
   }
-  const diagnostics: RequestDiagnostics = {
-    label,
-    clientDurationMs: Math.round(performance.now() - startedAt),
-    serverTiming: response.headers.get("Server-Timing"),
+
+  return { project: { tasks: result.project.tasks } }
+}
+
+async function runTaskDetailAction(taskId: string): Promise<TaskDetailQueryData> {
+  const result = await getTaskDetailAction(taskId)
+
+  if (!result.ok) {
+    throw new Error(result.error)
   }
 
-  if (!response.ok) {
-    throw new Error(data?.error ?? "Request failed")
+  return { task: result.task }
+}
+
+async function unwrapActionResult<T>(
+  action: Promise<({ ok: true } & T) | { ok: false; error: string }>
+): Promise<T> {
+  const result = await action
+
+  if (!result.ok) {
+    throw new Error(result.error)
   }
 
-  return { ...data, diagnostics }
+  return result as T
 }
 
+
 const columns = [
   { key: Status.todo, label: "Todo" },
   { key: Status.inprogress, label: "In progress" },
@@ -125,19 +141,12 @@ export function TaskKanban({
   const queryClient = useQueryClient()
   const projectQuery = useQuery({
     queryKey: ["project", projectId],
-    queryFn: () =>
-      timedApiJson<ProjectQueryData>(
-        `/api/internal/projects/${projectId}`,
-        "project board"
-      ),
+    queryFn: () => runProjectDetailAction(projectId),
     initialData: { project: { tasks } },
   })
   const statusMutation = useMutation({
     mutationFn: ({ taskId, status }: { taskId: string; status: Status }) =>
-      apiJson(`/api/internal/tasks/${taskId}`, {
-        method: "PATCH",
-        body: JSON.stringify({ status }),
-      }),
+      unwrapActionResult(updateTaskStatusAction(taskId, status)),
     onMutate: async ({ taskId, status }) => {
       await queryClient.cancelQueries({ queryKey: ["project", projectId] })
       const previous = queryClient.getQueryData<ProjectQueryData>([
@@ -202,11 +211,7 @@ export function TaskKanban({
         readByAgentIds: string[]
         blockingReason: string
       }
-    }) =>
-      apiJson(`/api/internal/tasks/${taskId}`, {
-        method: "PATCH",
-        body: JSON.stringify(payload),
-      }),
+    }) => unwrapActionResult(updateTaskAction(taskId, payload)),
     onSuccess: () => {
       setEditingTask(null)
       setEditingStatus(null)
@@ -214,13 +219,7 @@ export function TaskKanban({
     },
   })
   const archiveDoneMutation = useMutation({
-    mutationFn: () =>
-      apiJson<{ archivedCount: number }>(
-        `/api/internal/projects/${projectId}/archive-done`,
-        {
-          method: "POST",
-        }
-      ),
+    mutationFn: () => unwrapActionResult(archiveDoneTasksAction(projectId)),
     onSuccess: (data) => {
       setConfirmArchiveDone(false)
       setArchiveSuccess(
@@ -238,9 +237,7 @@ export function TaskKanban({
   })
   const deleteMutation = useMutation({
     mutationFn: (taskId: string) =>
-      apiJson(`/api/internal/tasks/${taskId}`, {
-        method: "DELETE",
-      }),
+      unwrapActionResult(deleteTaskAction(taskId)),
     onSuccess: () => {
       setDeletingTask(null)
       queryClient.invalidateQueries({ queryKey: ["project", projectId] })
@@ -258,11 +255,7 @@ export function TaskKanban({
   ).length
   const editingTaskQuery = useQuery({
     queryKey: ["task", editingTask?.id],
-    queryFn: () =>
-      timedApiJson<TaskDetailQueryData>(
-        `/api/internal/tasks/${editingTask?.id}`,
-        "task detail"
-      ),
+    queryFn: () => runTaskDetailAction(editingTask?.id ?? ""),
     enabled: Boolean(editingTask),
   })
   const editableTask = editingTaskQuery.data?.task ?? editingTask
@@ -833,11 +826,7 @@ function TaskDetails({ task }: { task: TaskCard }) {
   const [expanded, setExpanded] = useState(false)
   const detailQuery = useQuery({
     queryKey: ["task", task.id],
-    queryFn: () =>
-      timedApiJson<TaskDetailQueryData>(
-        `/api/internal/tasks/${task.id}`,
-        "task detail"
-      ),
+    queryFn: () => runTaskDetailAction(task.id),
     enabled: expanded,
   })
   const detail = detailQuery.data?.task
diff --git a/apps/web/app/dashboard/settings/actions.ts b/apps/web/app/dashboard/settings/actions.ts
new file mode 100644
index 0000000..e568f0a
--- /dev/null
+++ b/apps/web/app/dashboard/settings/actions.ts
@@ -0,0 +1,203 @@
+"use server"
+
+import { revalidatePath } from "next/cache"
+
+import bcrypt from "bcryptjs"
+
+import { createAuditLog } from "@/lib/api/audit-log"
+import { invalidateCompanyCache } from "@/lib/api/cache"
+import { createSession, getSession } from "@/lib/auth"
+import { prisma } from "@/lib/prisma"
+import { generateCompanyBearerToken } from "@/lib/token"
+
+type ActionResult<T = object> = ({ ok: true } & T) | { ok: false; error: string }
+
+type CompanyRow = {
+  id: string
+  name: string
+  description: string
+}
+
+export async function updateCompanyAction(
+  companyId: string,
+  payload: { name: string; description: string }
+): Promise<ActionResult<{ company: CompanyRow }>> {
+  const session = await getSession()
+
+  if (!session) {
+    return { ok: false, error: "Unauthorized" }
+  }
+
+  const name = payload.name.trim()
+  const description = payload.description.trim()
+
+  if (!name) {
+    return { ok: false, error: "Company name is required." }
+  }
+
+  const company = await prisma.company.findFirst({
+    where: { id: companyId, userId: session.userId },
+  })
+
+  if (!company) {
+    return { ok: false, error: "Company not found." }
+  }
+
+  const updatedCompany = await prisma.company.update({
+    where: { id: company.id },
+    data: { name, description },
+    select: { id: true, name: true, description: true },
+  })
+
+  await invalidateAndRevalidate(company.id)
+
+  return { ok: true, company: updatedCompany }
+}
+
+export async function deleteCompanyAction(
+  companyId: string,
+  confirmationName: string
+): Promise<ActionResult<{ companyId: string }>> {
+  const session = await getSession()
+
+  if (!session) {
+    return { ok: false, error: "Unauthorized" }
+  }
+
+  const company = await prisma.company.findFirst({
+    where: { id: companyId, userId: session.userId },
+  })
+
+  if (!company) {
+    return { ok: false, error: "Company not found." }
+  }
+
+  if (confirmationName.trim() !== company.name) {
+    return { ok: false, error: "Type the company name exactly to delete this company." }
+  }
+
+  await prisma.company.delete({ where: { id: company.id } })
+  revalidatePath("/dashboard")
+  revalidatePath("/dashboard/projects")
+  revalidatePath("/dashboard/agents")
+  revalidatePath("/dashboard/settings")
+
+  return { ok: true, companyId: company.id }
+}
+
+export async function rotateCompanyTokenAction(
+  companyId: string
+): Promise<ActionResult<{ token: string }>> {
+  const session = await getSession()
+
+  if (!session) {
+    return { ok: false, error: "Unauthorized" }
+  }
+
+  const company = await prisma.company.findFirst({
+    where: { id: companyId, userId: session.userId },
+  })
+
+  if (!company) {
+    return { ok: false, error: "Company not found." }
+  }
+
+  const { token, bearerTokenHash } = generateCompanyBearerToken()
+
+  await prisma.company.update({
+    where: { id: company.id },
+    data: { bearerTokenHash },
+  })
+
+  await createAuditLog({
+    companyId: company.id,
+    action: "company.token_rotated",
+    target: { type: "company", id: company.id, name: company.name },
+    actor: { type: "user", id: session.userId, name: session.username },
+    details:
+      "Rotated the company bearer token. Existing external agent configs must be updated.",
+  })
+  await invalidateAndRevalidate(company.id)
+
+  return { ok: true, token }
+}
+
+export async function changePasswordAction(payload: {
+  currentPassword: string
+  newPassword: string
+}): Promise<ActionResult> {
+  const session = await getSession()
+
+  if (!session) {
+    return { ok: false, error: "Unauthorized" }
+  }
+
+  const currentPassword = payload.currentPassword
+  const newPassword = payload.newPassword
+
+  if (!currentPassword || !newPassword) {
+    return { ok: false, error: "Current password and new password are required." }
+  }
+
+  if (newPassword.length < 8) {
+    return { ok: false, error: "New password must be at least 8 characters." }
+  }
+
+  const user = await prisma.user.findUnique({ where: { id: session.userId } })
+
+  if (!user || !(await bcrypt.compare(currentPassword, user.passwordHash))) {
+    return { ok: false, error: "Current password is incorrect." }
+  }
+
+  const passwordHash = await bcrypt.hash(newPassword, 12)
+  await prisma.user.update({
+    where: { id: session.userId },
+    data: { passwordHash },
+  })
+
+  return { ok: true }
+}
+
+export async function changeUsernameAction(payload: {
+  username: string
+  password: string
+}): Promise<ActionResult> {
+  const session = await getSession()
+
+  if (!session) {
+    return { ok: false, error: "Unauthorized" }
+  }
+
+  const username = payload.username.trim()
+  const password = payload.password
+
+  if (!username || !password) {
+    return { ok: false, error: "Username and password are required." }
+  }
+
+  const user = await prisma.user.findUnique({ where: { id: session.userId } })
+
+  if (!user || !(await bcrypt.compare(password, user.passwordHash))) {
+    return { ok: false, error: "Password is incorrect." }
+  }
+
+  const existingUser = await prisma.user.findUnique({ where: { username } })
+
+  if (existingUser && existingUser.id !== session.userId) {
+    return { ok: false, error: "Username is already taken." }
+  }
+
+  await prisma.user.update({ where: { id: session.userId }, data: { username } })
+  await createSession({ userId: session.userId, username })
+  revalidatePath("/dashboard")
+
+  return { ok: true }
+}
+
+async function invalidateAndRevalidate(companyId: string) {
+  await invalidateCompanyCache(companyId)
+  revalidatePath("/dashboard")
+  revalidatePath("/dashboard/projects")
+  revalidatePath("/dashboard/agents")
+  revalidatePath("/dashboard/settings")
+}
diff --git a/apps/web/app/dashboard/settings/company-settings-form.tsx b/apps/web/app/dashboard/settings/company-settings-form.tsx
index c1f8bb9..f76cfd4 100644
--- a/apps/web/app/dashboard/settings/company-settings-form.tsx
+++ b/apps/web/app/dashboard/settings/company-settings-form.tsx
@@ -20,7 +20,11 @@ import { Button } from "@/components/ui/button"
 import { Input } from "@/components/ui/input"
 import { Label } from "@/components/ui/label"
 import { Textarea } from "@/components/ui/textarea"
-import { apiJson } from "@/lib/api/client"
+import {
+  deleteCompanyAction,
+  rotateCompanyTokenAction,
+  updateCompanyAction,
+} from "./actions"
 
 type CompanySettingsFormProps = {
   company: {
@@ -36,13 +40,13 @@ export function CompanySettingsForm({ company }: CompanySettingsFormProps) {
   const [deleteConfirmation, setDeleteConfirmation] = useState("")
   const updateMutation = useMutation({
     mutationFn: (payload: { name: string; description: string }) =>
-      apiJson<{ company: CompanySettingsFormProps["company"] }>(
-        `/api/internal/companies/${company.id}`,
-        {
-          method: "PATCH",
-          body: JSON.stringify(payload),
+      updateCompanyAction(company.id, payload).then((result) => {
+        if (!result.ok) {
+          throw new Error(result.error)
         }
-      ),
+
+        return result
+      }),
     onSuccess: async () => {
       await queryClient.invalidateQueries({ queryKey: ["companies"] })
       router.refresh()
@@ -50,9 +54,12 @@ export function CompanySettingsForm({ company }: CompanySettingsFormProps) {
   })
   const deleteMutation = useMutation({
     mutationFn: () =>
-      apiJson<{ companyId: string }>(`/api/internal/companies/${company.id}`, {
-        method: "DELETE",
-        body: JSON.stringify({ confirmationName: deleteConfirmation }),
+      deleteCompanyAction(company.id, deleteConfirmation).then((result) => {
+        if (!result.ok) {
+          throw new Error(result.error)
+        }
+
+        return result
       }),
     onSuccess: async () => {
       await queryClient.invalidateQueries({ queryKey: ["companies"] })
@@ -62,9 +69,12 @@ export function CompanySettingsForm({ company }: CompanySettingsFormProps) {
   })
   const tokenMutation = useMutation({
     mutationFn: () =>
-      apiJson<{ token: string }>(`/api/internal/companies/${company.id}`, {
-        method: "POST",
-        body: JSON.stringify({ confirmRotation: true }),
+      rotateCompanyTokenAction(company.id).then((result) => {
+        if (!result.ok) {
+          throw new Error(result.error)
+        }
+
+        return result
       }),
   })
 
diff --git a/apps/web/components/dashboard/actions.ts b/apps/web/components/dashboard/actions.ts
new file mode 100644
index 0000000..5f6cd2f
--- /dev/null
+++ b/apps/web/components/dashboard/actions.ts
@@ -0,0 +1,45 @@
+"use server"
+
+import { revalidatePath } from "next/cache"
+
+import { getSession } from "@/lib/auth"
+import { prisma } from "@/lib/prisma"
+import { generateCompanyBearerToken } from "@/lib/token"
+
+type ActionResult<T> = ({ ok: true } & T) | { ok: false; error: string }
+
+export async function createCompanyAction(payload: {
+  name: string
+  description: string
+}): Promise<ActionResult<{ company: { id: string }; token: string }>> {
+  const session = await getSession()
+
+  if (!session) {
+    return { ok: false, error: "Unauthorized" }
+  }
+
+  const name = payload.name.trim()
+  const description = payload.description.trim()
+
+  if (!name) {
+    return { ok: false, error: "Company name is required." }
+  }
+
+  const { token, bearerTokenHash } = generateCompanyBearerToken()
+  const company = await prisma.company.create({
+    data: {
+      name,
+      description,
+      userId: session.userId,
+      bearerTokenHash,
+    },
+    select: { id: true },
+  })
+
+  revalidatePath("/dashboard")
+  revalidatePath("/dashboard/projects")
+  revalidatePath("/dashboard/agents")
+  revalidatePath("/dashboard/settings")
+
+  return { ok: true, company, token }
+}
diff --git a/apps/web/components/dashboard/change-password-dialog.tsx b/apps/web/components/dashboard/change-password-dialog.tsx
index b657c85..4a097b2 100644
--- a/apps/web/components/dashboard/change-password-dialog.tsx
+++ b/apps/web/components/dashboard/change-password-dialog.tsx
@@ -14,16 +14,19 @@ import {
 } from "@/components/ui/dialog"
 import { Input } from "@/components/ui/input"
 import { Label } from "@/components/ui/label"
-import { apiJson } from "@/lib/api/client"
+import { changePasswordAction } from "@/app/dashboard/settings/actions"
 
 export function ChangePasswordDialog() {
   const [open, setOpen] = useState(false)
   const [message, setMessage] = useState<string | null>(null)
   const mutation = useMutation({
     mutationFn: (payload: { currentPassword: string; newPassword: string }) =>
-      apiJson<{ statusCode: 200 }>("/api/internal/account/password", {
-        method: "PUT",
-        body: JSON.stringify(payload),
+      changePasswordAction(payload).then((result) => {
+        if (!result.ok) {
+          throw new Error(result.error)
+        }
+
+        return result
       }),
     onSuccess: () => {
       setMessage("Password changed.")
diff --git a/apps/web/components/dashboard/change-username-dialog.tsx b/apps/web/components/dashboard/change-username-dialog.tsx
index c0e7e0a..e5b8a4a 100644
--- a/apps/web/components/dashboard/change-username-dialog.tsx
+++ b/apps/web/components/dashboard/change-username-dialog.tsx
@@ -15,7 +15,7 @@ import {
 } from "@/components/ui/dialog"
 import { Input } from "@/components/ui/input"
 import { Label } from "@/components/ui/label"
-import { apiJson } from "@/lib/api/client"
+import { changeUsernameAction } from "@/app/dashboard/settings/actions"
 
 type ChangeUsernameDialogProps = {
   username: string
@@ -26,9 +26,12 @@ export function ChangeUsernameDialog({ username }: ChangeUsernameDialogProps) {
   const [message, setMessage] = useState<string | null>(null)
   const mutation = useMutation({
     mutationFn: (payload: { username: string; password: string }) =>
-      apiJson<{ statusCode: 200 }>("/api/internal/account/username", {
-        method: "PUT",
-        body: JSON.stringify(payload),
+      changeUsernameAction(payload).then((result) => {
+        if (!result.ok) {
+          throw new Error(result.error)
+        }
+
+        return result
       }),
     onSuccess: () => {
       setMessage("Username changed.")
diff --git a/apps/web/components/dashboard/create-company-dialog.tsx b/apps/web/components/dashboard/create-company-dialog.tsx
index 27ee6e8..17b2055 100644
--- a/apps/web/components/dashboard/create-company-dialog.tsx
+++ b/apps/web/components/dashboard/create-company-dialog.tsx
@@ -17,7 +17,7 @@ import {
 import { Input } from "@/components/ui/input"
 import { Label } from "@/components/ui/label"
 import { Textarea } from "@/components/ui/textarea"
-import { apiJson } from "@/lib/api/client"
+import { createCompanyAction } from "./actions"
 
 type CreateCompanyDialogProps = {
   defaultOpen?: boolean
@@ -36,9 +36,12 @@ export function CreateCompanyDialog({
   const queryClient = useQueryClient()
   const mutation = useMutation({
     mutationFn: (payload: { name: string; description: string }) =>
-      apiJson<{ company: { id: string }; token: string }>("/api/internal/companies", {
-        method: "POST",
-        body: JSON.stringify(payload),
+      createCompanyAction(payload).then((result) => {
+        if (!result.ok) {
+          throw new Error(result.error)
+        }
+
+        return result
       }),
     onSuccess: async (data) => {
       await queryClient.invalidateQueries({ queryKey: ["companies"] })

From 087fcb1418c04f1c30b6d79ff29f6a54a1149f24 Mon Sep 17 00:00:00 2001
From: Kaito <kaito@agentbridge.local>
Date: Thu, 14 May 2026 01:55:48 +0700
Subject: [PATCH 5/5] refactor(dashboard): remove internal api routes

---
 AGENTS.md                                     |   8 +-
 CONTRIBUTING.md                               |   2 +-
 README.md                                     |   4 +-
 .../api/internal/account/password/route.ts    |  44 --
 .../api/internal/account/username/route.ts    |  48 --
 .../api/internal/agents/[agentId]/route.ts    | 135 ------
 apps/web/app/api/internal/agents/route.ts     | 143 ------
 apps/web/app/api/internal/audit-logs/route.ts |  33 --
 .../internal/companies/[companyId]/route.ts   | 114 -----
 apps/web/app/api/internal/companies/route.ts  |  49 --
 .../app/api/internal/dashboard/brief/route.ts | 432 -----------------
 .../api/internal/dashboard/summary/route.ts   |  72 ---
 .../api/internal/notes/[taskId]/read/route.ts |  81 ----
 apps/web/app/api/internal/notes/route.ts      | 114 -----
 .../projects/[projectId]/agents/route.ts      | 123 -----
 .../[projectId]/archive-done/route.ts         |  53 ---
 .../internal/projects/[projectId]/route.ts    | 387 ---------------
 apps/web/app/api/internal/projects/route.ts   |  99 ----
 .../app/api/internal/tasks/[taskId]/route.ts  | 439 ------------------
 apps/web/app/api/internal/tasks/route.ts      | 186 --------
 apps/web/lib/api/client.ts                    |  16 -
 21 files changed, 6 insertions(+), 2576 deletions(-)
 delete mode 100644 apps/web/app/api/internal/account/password/route.ts
 delete mode 100644 apps/web/app/api/internal/account/username/route.ts
 delete mode 100644 apps/web/app/api/internal/agents/[agentId]/route.ts
 delete mode 100644 apps/web/app/api/internal/agents/route.ts
 delete mode 100644 apps/web/app/api/internal/audit-logs/route.ts
 delete mode 100644 apps/web/app/api/internal/companies/[companyId]/route.ts
 delete mode 100644 apps/web/app/api/internal/companies/route.ts
 delete mode 100644 apps/web/app/api/internal/dashboard/brief/route.ts
 delete mode 100644 apps/web/app/api/internal/dashboard/summary/route.ts
 delete mode 100644 apps/web/app/api/internal/notes/[taskId]/read/route.ts
 delete mode 100644 apps/web/app/api/internal/notes/route.ts
 delete mode 100644 apps/web/app/api/internal/projects/[projectId]/agents/route.ts
 delete mode 100644 apps/web/app/api/internal/projects/[projectId]/archive-done/route.ts
 delete mode 100644 apps/web/app/api/internal/projects/[projectId]/route.ts
 delete mode 100644 apps/web/app/api/internal/projects/route.ts
 delete mode 100644 apps/web/app/api/internal/tasks/[taskId]/route.ts
 delete mode 100644 apps/web/app/api/internal/tasks/route.ts
 delete mode 100644 apps/web/lib/api/client.ts

diff --git a/AGENTS.md b/AGENTS.md
index 86427d3..ea6ce6d 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -22,18 +22,16 @@
 - Keep the existing visual language: rounded cards, muted surfaces, Tailwind utility classes, and dashboard shell/sidebar patterns.
 - Prefer small, direct component changes over new abstractions unless reuse is clear.
 
-## API Routes
+## API Routes and Dashboard Actions
 
-- Always create internal app APIs under `/api/internal/**`.
+- Use Server Actions and server-component loaders for dashboard and in-app usage. Do not create new `/api/internal/**` routes for dashboard-only flows.
 - Always create agent/external-use APIs under `/api/agent/**`.
-- Internal APIs are for dashboard and in-app usage.
 - Agent APIs are for agent usage outside the app.
 - API routes must use the Next.js App Router route format under `app/api/**/route.ts`.
-- Internal API route files should live under `app/api/internal/**/route.ts`.
 - Agent API route files should live under `app/api/agent/**/route.ts`.
 - Always use OpenAPI and Swagger documentation for `/api/agent/**` routes.
 - Only `/api/agent/**` routes should appear in OpenAPI/Swagger docs.
-- Do not document `/api/internal/**` routes in OpenAPI/Swagger.
+- Do not document dashboard Server Actions or any internal-only route in OpenAPI/Swagger.
 - When adding or changing `/api/agent/**` routes, update the OpenAPI JSDoc comments beside the route handler.
 - Add concrete JSON response examples to Swagger/OpenAPI for `/api/agent/**` routes.
 - Use `app/api/agent/agents/route.ts` as the example pattern for agent API docs.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 76442a4..9ebd1bf 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -58,7 +58,7 @@ corepack pnpm prisma:studio
 
 ## API conventions
 
-- Dashboard-only APIs belong under `/api/internal/**`.
+- Dashboard-only reads and mutations should use Server Actions or server-component loaders. Do not add new `/api/internal/**` routes for dashboard-only flows.
 - External agent APIs belong under `/api/agent/**`.
 - Agent API requests must use the company bearer token and an `AgentId` header.
 - Never log, print, or expose bearer tokens.
diff --git a/README.md b/README.md
index 6b7cd9f..eef942c 100644
--- a/README.md
+++ b/README.md
@@ -48,7 +48,7 @@ Another fun detail: **Kaito is currently the most frequent code pusher in this r
 - Task instructions (`job`), blocking reasons, and optional `note` fields for agent result notes, done summaries, or handoff notes.
 - Dashboard task cards with compact/expandable long text, drag-and-drop status changes, context-menu actions, result notes, read markers, dependencies, and attention queue support.
 - Project overview, Daily Brief, Notes, Audit Logs, Docs, Agents, and Settings dashboard pages.
-- Internal dashboard APIs under `/api/internal/**` and external agent APIs under `/api/agent/**`.
+- Server Actions and server-component loaders for dashboard flows, plus external agent APIs under `/api/agent/**`.
 - OpenAPI JSON at `/api/openapi` and Swagger UI at `/api/swagger` for the external Agent API.
 - Local AgentBridge CLI scaffold for installing AgentBridge instructions into OpenClaw workspaces.
 
@@ -60,7 +60,7 @@ AgentBridge does not currently include billing, public signup, or third-party in
 - React and TypeScript
 - Tailwind CSS and shadcn/ui-style components
 - Prisma with PostgreSQL
-- React Query for dashboard mutations and cached client data
+- React Query for selected dashboard client state and action-backed lazy detail loading
 - Swagger/OpenAPI documentation for `/api/agent/**`
 - Local workspace CLI package for OpenClaw setup
 
diff --git a/apps/web/app/api/internal/account/password/route.ts b/apps/web/app/api/internal/account/password/route.ts
deleted file mode 100644
index 8156fbe..0000000
--- a/apps/web/app/api/internal/account/password/route.ts
+++ /dev/null
@@ -1,44 +0,0 @@
-import bcrypt from "bcryptjs"
-import { NextResponse } from "next/server"
-
-import { badRequest, requireInternalSession } from "@/lib/api/internal"
-import { prisma } from "@/lib/prisma"
-
-export async function PUT(request: Request) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const body = (await request.json().catch(() => null)) as {
-    currentPassword?: unknown
-    newPassword?: unknown
-  } | null
-
-  const currentPassword = typeof body?.currentPassword === "string" ? body.currentPassword : ""
-  const newPassword = typeof body?.newPassword === "string" ? body.newPassword : ""
-
-  if (!currentPassword || !newPassword) {
-    return badRequest("Current password and new password are required.")
-  }
-
-  if (newPassword.length < 8) {
-    return badRequest("New password must be at least 8 characters.")
-  }
-
-  const user = await prisma.user.findUnique({
-    where: { id: session.userId },
-  })
-
-  if (!user || !(await bcrypt.compare(currentPassword, user.passwordHash))) {
-    return badRequest("Current password is incorrect.")
-  }
-
-  const passwordHash = await bcrypt.hash(newPassword, 12)
-
-  await prisma.user.update({
-    where: { id: session.userId },
-    data: { passwordHash },
-  })
-
-  return NextResponse.json({ statusCode: 200 })
-}
diff --git a/apps/web/app/api/internal/account/username/route.ts b/apps/web/app/api/internal/account/username/route.ts
deleted file mode 100644
index b48a618..0000000
--- a/apps/web/app/api/internal/account/username/route.ts
+++ /dev/null
@@ -1,48 +0,0 @@
-import bcrypt from "bcryptjs"
-import { NextResponse } from "next/server"
-
-import { createSession } from "@/lib/auth"
-import { badRequest, requireInternalSession } from "@/lib/api/internal"
-import { prisma } from "@/lib/prisma"
-
-export async function PUT(request: Request) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const body = (await request.json().catch(() => null)) as {
-    username?: unknown
-    password?: unknown
-  } | null
-
-  const username = typeof body?.username === "string" ? body.username.trim() : ""
-  const password = typeof body?.password === "string" ? body.password : ""
-
-  if (!username || !password) {
-    return badRequest("Username and password are required.")
-  }
-
-  const user = await prisma.user.findUnique({
-    where: { id: session.userId },
-  })
-
-  if (!user || !(await bcrypt.compare(password, user.passwordHash))) {
-    return badRequest("Password is incorrect.")
-  }
-
-  const existingUser = await prisma.user.findUnique({
-    where: { username },
-  })
-
-  if (existingUser && existingUser.id !== session.userId) {
-    return badRequest("Username is already taken.")
-  }
-
-  await prisma.user.update({
-    where: { id: session.userId },
-    data: { username },
-  })
-  await createSession({ userId: session.userId, username })
-
-  return NextResponse.json({ statusCode: 200 })
-}
diff --git a/apps/web/app/api/internal/agents/[agentId]/route.ts b/apps/web/app/api/internal/agents/[agentId]/route.ts
deleted file mode 100644
index 240fe7a..0000000
--- a/apps/web/app/api/internal/agents/[agentId]/route.ts
+++ /dev/null
@@ -1,135 +0,0 @@
-import { NextResponse } from "next/server"
-
-import { createAuditLog, formatChangedFields } from "@/lib/api/audit-log"
-import {
-  badRequest,
-  notFound,
-  requireInternalSession,
-} from "@/lib/api/internal"
-import { prisma } from "@/lib/prisma"
-
-type RouteContext = {
-  params: Promise<{ agentId: string }>
-}
-
-export async function PATCH(request: Request, { params }: RouteContext) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const body = (await request.json().catch(() => null)) as {
-    AgentId?: unknown
-    name?: unknown
-    description?: unknown
-    position?: unknown
-  } | null
-
-  const nextAgentId =
-    typeof body?.AgentId === "string" ? body.AgentId.trim() : undefined
-  const name = typeof body?.name === "string" ? body.name.trim() : undefined
-  const description =
-    typeof body?.description === "string" ? body.description.trim() : undefined
-  const position =
-    typeof body?.position === "string" ? body.position.trim() : undefined
-
-  if (nextAgentId === "" || name === "" || position === "") {
-    return badRequest("AgentId, name, and position cannot be empty.")
-  }
-
-  if (
-    nextAgentId === undefined &&
-    name === undefined &&
-    description === undefined &&
-    position === undefined
-  ) {
-    return badRequest("No agent changes provided.")
-  }
-
-  const { agentId } = await params
-  const agent = await prisma.agent.findFirst({
-    where: {
-      id: agentId,
-      company: { userId: session.userId },
-    },
-  })
-
-  if (!agent) {
-    return notFound("Agent not found.")
-  }
-
-  if (nextAgentId && nextAgentId !== agent.AgentId) {
-    const existing = await prisma.agent.findUnique({
-      where: { AgentId: nextAgentId },
-      select: { id: true },
-    })
-
-    if (existing) {
-      return badRequest("AgentId is already in use.")
-    }
-  }
-
-  const updatedAgent = await prisma.agent.update({
-    where: { id: agent.id },
-    data: {
-      ...(nextAgentId !== undefined ? { AgentId: nextAgentId } : {}),
-      ...(name !== undefined ? { name } : {}),
-      ...(description !== undefined ? { description } : {}),
-      ...(position !== undefined ? { position } : {}),
-    },
-    select: {
-      id: true,
-      AgentId: true,
-      name: true,
-      description: true,
-      position: true,
-      companyId: true,
-    },
-  })
-
-  await createAuditLog({
-    companyId: agent.companyId,
-    action: "agent.updated",
-    target: { type: "agent", id: agent.id, name: updatedAgent.name },
-    actor: { type: "user", id: session.userId, name: session.username },
-    details: formatChangedFields([
-      nextAgentId !== undefined && nextAgentId !== agent.AgentId && "AgentId",
-      name !== undefined && name !== agent.name && "name",
-      description !== undefined &&
-        description !== agent.description &&
-        "description",
-      position !== undefined && position !== agent.position && "position",
-    ]),
-  })
-
-  return NextResponse.json({ statusCode: 200, agent: updatedAgent })
-}
-
-export async function DELETE(_request: Request, { params }: RouteContext) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const { agentId } = await params
-  const agent = await prisma.agent.findFirst({
-    where: {
-      id: agentId,
-      company: { userId: session.userId },
-    },
-  })
-
-  if (!agent) {
-    return notFound("Agent not found.")
-  }
-
-  await prisma.agent.delete({ where: { id: agent.id } })
-
-  await createAuditLog({
-    companyId: agent.companyId,
-    action: "agent.deleted",
-    target: { type: "agent", id: agent.id, name: agent.name },
-    actor: { type: "user", id: session.userId, name: session.username },
-    details: `Deleted AgentId ${agent.AgentId}.`,
-  })
-
-  return NextResponse.json({ statusCode: 200, agentId: agent.id })
-}
diff --git a/apps/web/app/api/internal/agents/route.ts b/apps/web/app/api/internal/agents/route.ts
deleted file mode 100644
index 826ea51..0000000
--- a/apps/web/app/api/internal/agents/route.ts
+++ /dev/null
@@ -1,143 +0,0 @@
-import { NextRequest, NextResponse } from "next/server"
-
-import { Prisma } from "@/generated/prisma/client"
-import { createAuditLog } from "@/lib/api/audit-log"
-import {
-  cacheJson,
-  cacheKey,
-  cacheStatusHeader,
-  cacheTtl,
-  getCompanyCacheVersion,
-  invalidateCompanyCache,
-} from "@/lib/api/cache"
-import { badRequest, requireInternalSession } from "@/lib/api/internal"
-import { prisma } from "@/lib/prisma"
-
-export async function GET(request: NextRequest) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const companyId = request.nextUrl.searchParams.get("companyId")
-
-  if (!companyId) {
-    return badRequest("Company is required.")
-  }
-
-  const company = await prisma.company.findFirst({
-    where: { id: companyId, userId: session.userId },
-    select: { id: true },
-  })
-
-  if (!company) {
-    return badRequest("Company not found.")
-  }
-
-  const companyVersion = await getCompanyCacheVersion(companyId)
-  const { value, cacheStatus } = await cacheJson(
-    cacheKey(["internal", "agents", session.userId, companyId, companyVersion]),
-    cacheTtl.agentList,
-    async () => {
-      const agents = await prisma.agent.findMany({
-        where: { companyId },
-        orderBy: { name: "asc" },
-        select: {
-          id: true,
-          AgentId: true,
-          name: true,
-          description: true,
-          position: true,
-          companyId: true,
-        },
-      })
-
-      return { statusCode: 200, agents }
-    }
-  )
-
-  return NextResponse.json(value, {
-    headers: { "X-AgentBridge-Cache": cacheStatusHeader(cacheStatus) },
-  })
-}
-
-export async function POST(request: Request) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const body = (await request.json().catch(() => null)) as {
-    companyId?: unknown
-    AgentId?: unknown
-    name?: unknown
-    description?: unknown
-    position?: unknown
-  } | null
-
-  const companyId = typeof body?.companyId === "string" ? body.companyId : ""
-  const AgentId = typeof body?.AgentId === "string" ? body.AgentId.trim() : ""
-  const name = typeof body?.name === "string" ? body.name.trim() : ""
-  const description = typeof body?.description === "string" ? body.description.trim() : ""
-  const position = typeof body?.position === "string" ? body.position.trim() : ""
-
-  if (!companyId || !AgentId || !name || !position) {
-    return badRequest("Company, AgentId, name, and position are required.")
-  }
-
-  const company = await prisma.company.findFirst({
-    where: { id: companyId, userId: session.userId },
-  })
-
-  if (!company) {
-    return badRequest("Company not found.")
-  }
-
-  const existingAgent = await prisma.agent.findUnique({
-    where: { AgentId },
-    select: { id: true },
-  })
-
-  if (existingAgent) {
-    return badRequest("AgentId is already in use.")
-  }
-
-  const agent = await prisma.agent
-    .create({
-      data: {
-        companyId,
-        AgentId,
-        name,
-        description,
-        position,
-      },
-      select: {
-        id: true,
-        AgentId: true,
-        name: true,
-        description: true,
-        position: true,
-        companyId: true,
-      },
-    })
-    .catch((error: unknown) => {
-      if (error instanceof Prisma.PrismaClientKnownRequestError && error.code === "P2002") {
-        return null
-      }
-
-      throw error
-    })
-
-  if (!agent) {
-    return badRequest("AgentId is already in use.")
-  }
-
-  await createAuditLog({
-    companyId,
-    action: "agent.created",
-    target: { type: "agent", id: agent.id, name: agent.name },
-    actor: { type: "user", id: session.userId, name: session.username },
-    details: `Created AgentId ${agent.AgentId}.`,
-  })
-  await invalidateCompanyCache(companyId)
-
-  return NextResponse.json({ statusCode: 201, agent }, { status: 201 })
-}
diff --git a/apps/web/app/api/internal/audit-logs/route.ts b/apps/web/app/api/internal/audit-logs/route.ts
deleted file mode 100644
index a8ceccb..0000000
--- a/apps/web/app/api/internal/audit-logs/route.ts
+++ /dev/null
@@ -1,33 +0,0 @@
-import { NextRequest, NextResponse } from "next/server"
-
-import { badRequest, requireInternalSession } from "@/lib/api/internal"
-import { prisma } from "@/lib/prisma"
-
-export async function GET(request: NextRequest) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const companyId = request.nextUrl.searchParams.get("companyId")
-
-  if (!companyId) {
-    return badRequest("Company is required.")
-  }
-
-  const company = await prisma.company.findFirst({
-    where: { id: companyId, userId: session.userId },
-    select: { id: true },
-  })
-
-  if (!company) {
-    return badRequest("Company not found.")
-  }
-
-  const auditLogs = await prisma.auditLog.findMany({
-    where: { companyId: company.id },
-    orderBy: { createdAt: "desc" },
-    take: 100,
-  })
-
-  return NextResponse.json({ statusCode: 200, auditLogs })
-}
diff --git a/apps/web/app/api/internal/companies/[companyId]/route.ts b/apps/web/app/api/internal/companies/[companyId]/route.ts
deleted file mode 100644
index ec36e27..0000000
--- a/apps/web/app/api/internal/companies/[companyId]/route.ts
+++ /dev/null
@@ -1,114 +0,0 @@
-import { NextResponse } from "next/server"
-
-import { createAuditLog } from "@/lib/api/audit-log"
-import { badRequest, notFound, requireInternalSession } from "@/lib/api/internal"
-import { prisma } from "@/lib/prisma"
-import { generateCompanyBearerToken } from "@/lib/token"
-
-type RouteContext = {
-  params: Promise<{ companyId: string }>
-}
-
-export async function PATCH(request: Request, { params }: RouteContext) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const body = (await request.json().catch(() => null)) as {
-    name?: unknown
-    description?: unknown
-  } | null
-  const name = typeof body?.name === "string" ? body.name.trim() : ""
-  const description = typeof body?.description === "string" ? body.description.trim() : ""
-
-  if (!name) {
-    return badRequest("Company name is required.")
-  }
-
-  const { companyId } = await params
-  const company = await prisma.company.findFirst({
-    where: { id: companyId, userId: session.userId },
-  })
-
-  if (!company) {
-    return notFound("Company not found.")
-  }
-
-  const updatedCompany = await prisma.company.update({
-    where: { id: company.id },
-    data: { name, description },
-    omit: { bearerTokenHash: true },
-  })
-
-  return NextResponse.json({ statusCode: 200, company: updatedCompany })
-}
-
-export async function DELETE(request: Request, { params }: RouteContext) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const body = (await request.json().catch(() => null)) as {
-    confirmationName?: unknown
-  } | null
-  const confirmationName =
-    typeof body?.confirmationName === "string" ? body.confirmationName.trim() : ""
-
-  const { companyId } = await params
-  const company = await prisma.company.findFirst({
-    where: { id: companyId, userId: session.userId },
-  })
-
-  if (!company) {
-    return notFound("Company not found.")
-  }
-
-  if (confirmationName !== company.name) {
-    return badRequest("Type the company name exactly to delete this company.")
-  }
-
-  await prisma.company.delete({ where: { id: company.id } })
-
-  return NextResponse.json({ statusCode: 200, companyId: company.id })
-}
-
-export async function POST(request: Request, { params }: RouteContext) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const body = (await request.json().catch(() => null)) as {
-    confirmRotation?: unknown
-  } | null
-
-  if (body?.confirmRotation !== true) {
-    return badRequest("Confirm token rotation before generating a new company token.")
-  }
-
-  const { companyId } = await params
-  const company = await prisma.company.findFirst({
-    where: { id: companyId, userId: session.userId },
-  })
-
-  if (!company) {
-    return notFound("Company not found.")
-  }
-
-  const { token, bearerTokenHash } = generateCompanyBearerToken()
-
-  await prisma.company.update({
-    where: { id: company.id },
-    data: { bearerTokenHash },
-  })
-
-  await createAuditLog({
-    companyId: company.id,
-    action: "company.token_rotated",
-    target: { type: "company", id: company.id, name: company.name },
-    actor: { type: "user", id: session.userId, name: session.username },
-    details:
-      "Rotated the company bearer token. Existing external agent configs must be updated.",
-  })
-
-  return NextResponse.json({ statusCode: 200, token })
-}
diff --git a/apps/web/app/api/internal/companies/route.ts b/apps/web/app/api/internal/companies/route.ts
deleted file mode 100644
index 8da11e6..0000000
--- a/apps/web/app/api/internal/companies/route.ts
+++ /dev/null
@@ -1,49 +0,0 @@
-import { NextResponse } from "next/server"
-
-import { badRequest, requireInternalSession } from "@/lib/api/internal"
-import { prisma } from "@/lib/prisma"
-import { generateCompanyBearerToken } from "@/lib/token"
-
-export async function GET() {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const companies = await prisma.company.findMany({
-    where: { userId: session.userId },
-    orderBy: { name: "asc" },
-    omit: { bearerTokenHash: true },
-  })
-
-  return NextResponse.json({ statusCode: 200, companies })
-}
-
-export async function POST(request: Request) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const body = (await request.json().catch(() => null)) as {
-    name?: unknown
-    description?: unknown
-  } | null
-
-  const name = typeof body?.name === "string" ? body.name.trim() : ""
-  const description = typeof body?.description === "string" ? body.description.trim() : ""
-
-  if (!name) {
-    return badRequest("Company name is required.")
-  }
-
-  const { token, bearerTokenHash } = generateCompanyBearerToken()
-  const company = await prisma.company.create({
-    data: {
-      name,
-      description,
-      userId: session.userId,
-      bearerTokenHash,
-    },
-  })
-
-  return NextResponse.json({ statusCode: 201, company, token }, { status: 201 })
-}
diff --git a/apps/web/app/api/internal/dashboard/brief/route.ts b/apps/web/app/api/internal/dashboard/brief/route.ts
deleted file mode 100644
index bacf8c9..0000000
--- a/apps/web/app/api/internal/dashboard/brief/route.ts
+++ /dev/null
@@ -1,432 +0,0 @@
-import { NextRequest, NextResponse } from "next/server"
-
-import { Status } from "@/generated/prisma/enums"
-import {
-  cacheJson,
-  cacheKey,
-  cacheStatusHeader,
-  cacheTtl,
-  getCompanyCacheVersion,
-  getProjectCacheVersion,
-} from "@/lib/api/cache"
-import { badRequest, requireInternalSession } from "@/lib/api/internal"
-import { prisma } from "@/lib/prisma"
-
-const briefRanges = ["today", "7d"] as const
-const sectionLimit = 10
-
-type BriefRangeKey = (typeof briefRanges)[number]
-
-export async function GET(request: NextRequest) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const startedAt = Date.now()
-  const companyId = request.nextUrl.searchParams.get("companyId")
-  const rangeParam = request.nextUrl.searchParams.get("range") ?? "today"
-  const projectId = request.nextUrl.searchParams.get("projectId")
-
-  if (!companyId) {
-    return badRequest("Company is required.")
-  }
-
-  if (!isBriefRange(rangeParam)) {
-    return badRequest("Range must be today or 7d.")
-  }
-
-  const company = await prisma.company.findFirst({
-    where: { id: companyId, userId: session.userId },
-    select: { id: true },
-  })
-
-  if (!company) {
-    return badRequest("Company not found.")
-  }
-
-  const projectFilter = projectId
-    ? await prisma.project.findFirst({
-        where: { id: projectId, companyId: company.id },
-        select: { id: true, name: true },
-      })
-    : null
-
-  if (projectId && !projectFilter) {
-    return badRequest("Project not found.")
-  }
-
-  const companyVersion = await getCompanyCacheVersion(company.id)
-  const projectVersion = projectId
-    ? await getProjectCacheVersion(projectId)
-    : "none"
-  const { value, cacheStatus } = await cacheJson(
-    cacheKey([
-      "internal",
-      "dashboard-brief",
-      session.userId,
-      company.id,
-      projectId,
-      rangeParam,
-      companyVersion,
-      projectVersion,
-    ]),
-    cacheTtl.dashboardBrief,
-    async () => {
-      const now = new Date()
-      const since = getRangeStart(rangeParam, now)
-      const projectWhere = projectId
-    ? { id: projectId, companyId: company.id }
-    : { companyId: company.id }
-      const taskWhere = {
-    archivedAt: null,
-    project: projectWhere,
-  }
-      const projectTaskIds = projectId
-    ? await prisma.task.findMany({
-        where: {
-          projectId,
-          project: { companyId: company.id },
-        },
-        select: { id: true },
-      })
-    : []
-      const auditLogWhere = projectId
-    ? {
-        companyId: company.id,
-        createdAt: { gte: since },
-        OR: [
-          { targetType: "project", targetId: projectId },
-          {
-            targetType: "task",
-            targetId: { in: projectTaskIds.map((task) => task.id) },
-          },
-        ],
-      }
-    : {
-        companyId: company.id,
-        createdAt: { gte: since },
-      }
-      const taskSelect = {
-    id: true,
-    name: true,
-    status: true,
-    note: true,
-    summaryUpdatedAt: true,
-    blockingReason: true,
-    taskUpdatedAt: true,
-    taskUpdatedByName: true,
-    taskUpdatedByType: true,
-    assigned: {
-      select: {
-        id: true,
-        name: true,
-      },
-    },
-    project: {
-      select: {
-        id: true,
-        name: true,
-      },
-    },
-  }
-
-      const [
-    projects,
-    changedTasks,
-    blockedTasks,
-    completedTasks,
-    latestNotes,
-    auditLogs,
-      ] = await Promise.all([
-    prisma.project.findMany({
-      where: { companyId: company.id },
-      orderBy: { name: "asc" },
-      select: { id: true, name: true },
-    }),
-    prisma.task.findMany({
-      where: {
-        ...taskWhere,
-        taskUpdatedAt: { gte: since },
-      },
-      orderBy: { taskUpdatedAt: "desc" },
-      take: 50,
-      select: taskSelect,
-    }),
-    prisma.task.findMany({
-      where: {
-        ...taskWhere,
-        status: Status.blocked,
-      },
-      orderBy: { taskUpdatedAt: "desc" },
-      take: sectionLimit,
-      select: taskSelect,
-    }),
-    prisma.task.findMany({
-      where: {
-        ...taskWhere,
-        status: Status.done,
-        OR: [
-          { taskUpdatedAt: { gte: since } },
-          { summaryUpdatedAt: { gte: since } },
-        ],
-      },
-      orderBy: [{ summaryUpdatedAt: "desc" }, { taskUpdatedAt: "desc" }],
-      take: sectionLimit,
-      select: taskSelect,
-    }),
-    prisma.task.findMany({
-      where: {
-        ...taskWhere,
-        note: { not: null },
-        OR: [
-          { summaryUpdatedAt: { gte: since } },
-          { taskUpdatedAt: { gte: since } },
-        ],
-      },
-      orderBy: [{ summaryUpdatedAt: "desc" }, { taskUpdatedAt: "desc" }],
-      take: sectionLimit,
-      select: taskSelect,
-    }),
-    prisma.auditLog.findMany({
-      where: auditLogWhere,
-      orderBy: { createdAt: "desc" },
-      take: 100,
-      select: {
-        id: true,
-        action: true,
-        targetType: true,
-        targetId: true,
-        targetName: true,
-        details: true,
-        actorType: true,
-        actorName: true,
-        createdAt: true,
-      },
-    }),
-  ])
-
-      const readyForReview = latestNotes
-    .filter((task) => task.status === Status.done && task.note?.trim())
-    .slice(0, sectionLimit)
-    .map((task) => ({
-      ...serializeTask(task),
-      reason: getReviewReason(task.name, task.note ?? ""),
-    }))
-      const brief = {
-    range: {
-      key: rangeParam,
-      label: rangeParam === "today" ? "Last 24 hours" : "Last 7 days",
-      since: since.toISOString(),
-      until: now.toISOString(),
-    },
-    project: projectFilter,
-    projects,
-    counts: {
-      changed: changedTasks.length + auditLogs.length,
-      completed: completedTasks.length,
-      blockers: blockedTasks.length,
-      notes: latestNotes.length,
-      readyForReview: readyForReview.length,
-    },
-    recentActivity: [
-      ...auditLogs.map((log) => ({
-        id: log.id,
-        kind: log.action,
-        title: formatAction(log.action, log.targetName),
-        subtitle: log.details,
-        actorName: log.actorName ?? fallbackActorLabel(log.actorType),
-        actorType: log.actorType,
-        occurredAt: log.createdAt.toISOString(),
-        href: getAuditHref({
-          targetType: log.targetType,
-          targetId: log.targetId,
-          companyId: company.id,
-          projectId,
-        }),
-      })),
-      ...changedTasks.map((task) => ({
-        id: `task-${task.id}`,
-        kind: `task.${task.status}`,
-        title: task.name,
-        subtitle: `${task.project.name} • ${task.status}`,
-        actorName:
-          task.taskUpdatedByName ?? fallbackActorLabel(task.taskUpdatedByType),
-        actorType: task.taskUpdatedByType,
-        occurredAt: task.taskUpdatedAt.toISOString(),
-        href: taskHref(task.project.id, task.id, company.id),
-      })),
-    ]
-      .sort(
-        (left, right) =>
-          new Date(right.occurredAt).getTime() -
-          new Date(left.occurredAt).getTime()
-      )
-      .slice(0, sectionLimit),
-    completedTasks: completedTasks.map((task) =>
-      serializeTask(task, company.id)
-    ),
-    blockers: blockedTasks.map((task) => serializeTask(task, company.id)),
-    latestNotes: latestNotes.map((task) => serializeTask(task, company.id)),
-    readyForReview,
-    suggestedActions: getSuggestedActions({
-      blockers: blockedTasks.length,
-      readyForReview: readyForReview.length,
-      changed: changedTasks.length + auditLogs.length,
-      companyId: company.id,
-    }),
-  }
-
-      return { statusCode: 200, brief }
-    }
-  )
-
-  const jsonResponse = NextResponse.json(value, {
-    headers: { "X-AgentBridge-Cache": cacheStatusHeader(cacheStatus) },
-  })
-  jsonResponse.headers.set(
-    "Server-Timing",
-    `dashboard-brief;dur=${Date.now() - startedAt}`
-  )
-
-  return jsonResponse
-}
-
-function isBriefRange(value: string): value is BriefRangeKey {
-  return briefRanges.includes(value as BriefRangeKey)
-}
-
-function getRangeStart(range: BriefRangeKey, now: Date) {
-  const start = new Date(now)
-  start.setDate(start.getDate() - (range === "today" ? 1 : 7))
-
-  return start
-}
-
-function serializeTask(
-  task: {
-    id: string
-    name: string
-    status: Status
-    note: string | null
-    summaryUpdatedAt: Date | null
-    blockingReason: string | null
-    taskUpdatedAt: Date
-    assigned: { id: string; name: string }
-    project: { id: string; name: string }
-  },
-  companyId?: string
-) {
-  return {
-    id: task.id,
-    name: task.name,
-    status: task.status,
-    summary: task.note,
-    summaryUpdatedAt: task.summaryUpdatedAt?.toISOString() ?? null,
-    blockingReason: task.blockingReason,
-    taskUpdatedAt: task.taskUpdatedAt.toISOString(),
-    assigned: task.assigned,
-    project: task.project,
-    href: taskHref(task.project.id, task.id, companyId),
-  }
-}
-
-function taskHref(projectId: string, taskId: string, companyId?: string) {
-  const search = companyId ? `?company=${companyId}` : ""
-
-  return `/dashboard/projects/${projectId}${search}#task-${taskId}`
-}
-
-function getAuditHref({
-  companyId,
-  targetId,
-  targetType,
-  projectId,
-}: {
-  companyId: string
-  projectId: string | null
-  targetId: string | null
-  targetType: string
-}) {
-  if (targetType === "project" && targetId) {
-    return `/dashboard/projects/${targetId}?company=${companyId}`
-  }
-
-  if (targetType === "task" && targetId && projectId) {
-    return taskHref(projectId, targetId, companyId)
-  }
-
-  return `/dashboard/audit-logs?company=${companyId}`
-}
-
-function formatAction(action: string, targetName: string | null) {
-  const label = action
-    .split(".")
-    .map((part) => part.charAt(0).toUpperCase() + part.slice(1))
-    .join(" ")
-
-  return targetName ? `${label}: ${targetName}` : label
-}
-
-function fallbackActorLabel(type: string) {
-  if (type === "agent") return "Agent"
-  if (type === "user") return "User"
-
-  return "System"
-}
-
-function getReviewReason(name: string, note: string) {
-  const text = `${name} ${note}`
-
-  if (/merge/i.test(text)) return "Mentions merge"
-  if (/review|qa/i.test(text)) return "Mentions review"
-
-  return "Done with summary"
-}
-
-function getSuggestedActions({
-  blockers,
-  changed,
-  companyId,
-  readyForReview,
-}: {
-  blockers: number
-  changed: number
-  companyId: string
-  readyForReview: number
-}) {
-  const actions: Array<{
-    label: string
-    reason: string
-    href: string
-    priority: "high" | "medium" | "low"
-  }> = []
-
-  if (blockers) {
-    actions.push({
-      label: "Resolve or reassign blockers",
-      reason: `${blockers} blocked task${blockers === 1 ? "" : "s"} need attention.`,
-      href: `/dashboard/projects?company=${companyId}`,
-      priority: "high",
-    })
-  }
-
-  if (readyForReview) {
-    actions.push({
-      label: "Review done summaries",
-      reason: `${readyForReview} completed task${readyForReview === 1 ? "" : "s"} look ready for review.`,
-      href: `/dashboard/notes?company=${companyId}`,
-      priority: "medium",
-    })
-  }
-
-  if (!changed) {
-    actions.push({
-      label: "Check active project boards",
-      reason: "No tracked changes in this range.",
-      href: `/dashboard/projects?company=${companyId}`,
-      priority: "low",
-    })
-  }
-
-  return actions.slice(0, 5)
-}
diff --git a/apps/web/app/api/internal/dashboard/summary/route.ts b/apps/web/app/api/internal/dashboard/summary/route.ts
deleted file mode 100644
index 59b5a77..0000000
--- a/apps/web/app/api/internal/dashboard/summary/route.ts
+++ /dev/null
@@ -1,72 +0,0 @@
-import { NextRequest, NextResponse } from "next/server"
-
-import {
-  cacheJson,
-  cacheKey,
-  cacheStatusHeader,
-  cacheTtl,
-  getCompanyCacheVersion,
-} from "@/lib/api/cache"
-import { badRequest, requireInternalSession } from "@/lib/api/internal"
-import { prisma } from "@/lib/prisma"
-
-export async function GET(request: NextRequest) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const companyId = request.nextUrl.searchParams.get("companyId")
-
-  if (!companyId) {
-    return badRequest("Company is required.")
-  }
-
-  const company = await prisma.company.findFirst({
-    where: { id: companyId, userId: session.userId },
-    select: { id: true },
-  })
-
-  if (!company) {
-    return badRequest("Company not found.")
-  }
-
-  const companyVersion = await getCompanyCacheVersion(companyId)
-  const { value, cacheStatus } = await cacheJson(
-    cacheKey([
-      "internal",
-      "dashboard-summary",
-      session.userId,
-      companyId,
-      companyVersion,
-    ]),
-    cacheTtl.dashboardSummary,
-    async () => {
-      const [agents, projects, tasks] = await Promise.all([
-        prisma.agent.count({ where: { companyId } }),
-        prisma.project.count({ where: { companyId } }),
-        prisma.task.groupBy({
-          by: ["status"],
-          where: { project: { companyId } },
-          _count: { _all: true },
-        }),
-      ])
-
-      const taskCounts = Object.fromEntries(
-        tasks.map((task) => [task.status, task._count._all])
-      )
-
-      return {
-        statusCode: 200,
-        summary: {
-          agents,
-          projects,
-          tasks: taskCounts,
-        },
-      }
-    }
-  )
-
-  return NextResponse.json(value, {
-    headers: { "X-AgentBridge-Cache": cacheStatusHeader(cacheStatus) },
-  })
-}
diff --git a/apps/web/app/api/internal/notes/[taskId]/read/route.ts b/apps/web/app/api/internal/notes/[taskId]/read/route.ts
deleted file mode 100644
index 07deb5c..0000000
--- a/apps/web/app/api/internal/notes/[taskId]/read/route.ts
+++ /dev/null
@@ -1,81 +0,0 @@
-import { NextResponse } from "next/server"
-
-import { Status } from "@/generated/prisma/enums"
-import { invalidateCompanyCache } from "@/lib/api/cache"
-import { notFound, requireInternalSession } from "@/lib/api/internal"
-import { findReviewReader } from "@/lib/api/review-reader"
-import { prisma } from "@/lib/prisma"
-
-type RouteContext = {
-  params: Promise<{ taskId: string }>
-}
-
-export async function POST(_request: Request, { params }: RouteContext) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const { taskId } = await params
-  const task = await prisma.task.findFirst({
-    where: {
-      id: taskId,
-      status: Status.done,
-      archivedAt: null,
-      note: { not: null },
-      project: { company: { userId: session.userId } },
-    },
-    select: {
-      id: true,
-      note: true,
-      summaryUpdatedAt: true,
-      taskUpdatedAt: true,
-      project: { select: { companyId: true } },
-    },
-  })
-
-  if (!task) {
-    return notFound("Done task note not found.")
-  }
-
-  const reviewReader = await findReviewReader(task.project.companyId)
-
-  if (!reviewReader) {
-    return notFound("Review reader agent not found.")
-  }
-
-  const readAt = new Date()
-
-  await prisma.$transaction(async (tx) => {
-    if (!task.summaryUpdatedAt) {
-      await tx.task.update({
-        where: { id: task.id },
-        data: { summaryUpdatedAt: task.taskUpdatedAt },
-      })
-    }
-
-    await tx.taskReadMarker.upsert({
-      where: {
-        taskId_agentId_status: {
-          taskId: task.id,
-          agentId: reviewReader.id,
-          status: Status.done,
-        },
-      },
-      create: {
-        taskId: task.id,
-        agentId: reviewReader.id,
-        status: Status.done,
-        readAt,
-      },
-      update: { readAt },
-    })
-  })
-
-  await invalidateCompanyCache(task.project.companyId)
-
-  return NextResponse.json({
-    statusCode: 200,
-    taskId: task.id,
-    readBy: reviewReader.AgentId,
-  })
-}
diff --git a/apps/web/app/api/internal/notes/route.ts b/apps/web/app/api/internal/notes/route.ts
deleted file mode 100644
index c920569..0000000
--- a/apps/web/app/api/internal/notes/route.ts
+++ /dev/null
@@ -1,114 +0,0 @@
-import { NextRequest, NextResponse } from "next/server"
-
-import {
-  cacheJson,
-  cacheKey,
-  cacheStatusHeader,
-  cacheTtl,
-  getCompanyCacheVersion,
-} from "@/lib/api/cache"
-import { badRequest, requireInternalSession } from "@/lib/api/internal"
-import { findReviewReader } from "@/lib/api/review-reader"
-import { prisma } from "@/lib/prisma"
-
-export async function GET(request: NextRequest) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const companyId = request.nextUrl.searchParams.get("company")
-
-  if (!companyId) {
-    return badRequest("Company is required.")
-  }
-
-  const company = await prisma.company.findFirst({
-    where: { id: companyId, userId: session.userId },
-    select: { id: true },
-  })
-
-  if (!company) {
-    return badRequest("Company not found.")
-  }
-
-  const companyVersion = await getCompanyCacheVersion(company.id)
-  const { value, cacheStatus } = await cacheJson(
-    cacheKey(["internal", "notes", session.userId, company.id, companyVersion]),
-    cacheTtl.notes,
-    async () => {
-      const reviewReader = await findReviewReader(company.id)
-
-      if (!reviewReader) {
-        return {
-          statusCode: 200,
-          notes: [],
-          reviewReader: null,
-        }
-      }
-
-      const notes = await prisma.task.findMany({
-        where: {
-          archivedAt: null,
-          note: { not: null },
-          status: "done",
-          project: { companyId: company.id },
-        },
-        orderBy: [{ summaryUpdatedAt: "desc" }, { name: "asc" }],
-        take: 100,
-        select: {
-          id: true,
-          name: true,
-          status: true,
-          note: true,
-          summaryUpdatedAt: true,
-          taskUpdatedAt: true,
-          assigned: {
-            select: {
-              id: true,
-              name: true,
-              position: true,
-            },
-          },
-          project: {
-            select: {
-              id: true,
-              name: true,
-            },
-          },
-          readMarkers: {
-            where: {
-              status: "done",
-              agentId: reviewReader.id,
-            },
-            select: { readAt: true },
-          },
-        },
-      })
-      const unreadNotes = notes.filter((task) => {
-        const readAt = task.readMarkers[0]?.readAt
-
-        const summaryUpdatedAt = task.summaryUpdatedAt ?? task.taskUpdatedAt
-
-        return !readAt || readAt < summaryUpdatedAt
-      })
-
-      return {
-        statusCode: 200,
-        reviewReader,
-        notes: unreadNotes.map((task) => ({
-          id: task.id,
-          name: task.name,
-          status: task.status,
-          note: task.note ?? "",
-          summaryUpdatedAt: (task.summaryUpdatedAt ?? task.taskUpdatedAt).toISOString(),
-          assigned: task.assigned,
-          project: task.project,
-        })),
-      }
-    }
-  )
-
-  return NextResponse.json(value, {
-    headers: { "X-AgentBridge-Cache": cacheStatusHeader(cacheStatus) },
-  })
-}
diff --git a/apps/web/app/api/internal/projects/[projectId]/agents/route.ts b/apps/web/app/api/internal/projects/[projectId]/agents/route.ts
deleted file mode 100644
index bca31eb..0000000
--- a/apps/web/app/api/internal/projects/[projectId]/agents/route.ts
+++ /dev/null
@@ -1,123 +0,0 @@
-import { NextResponse } from "next/server"
-
-import { createAuditLog } from "@/lib/api/audit-log"
-import { projectAgentSelect, serializeProjectAgents } from "@/lib/api/project-agents"
-import { badRequest, notFound, requireInternalSession } from "@/lib/api/internal"
-import { prisma } from "@/lib/prisma"
-
-type RouteContext = {
-  params: Promise<{ projectId: string }>
-}
-
-export async function PUT(request: Request, { params }: RouteContext) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const body = (await request.json().catch(() => null)) as { agentIds?: unknown } | null
-  const agentIds = parseStringIds(body?.agentIds)
-
-  if (!agentIds) {
-    return badRequest("Invalid project agents.")
-  }
-
-  const { projectId } = await params
-  const project = await prisma.project.findFirst({
-    where: {
-      id: projectId,
-      company: { userId: session.userId },
-    },
-    select: {
-      id: true,
-      name: true,
-      companyId: true,
-      agents: {
-        select: {
-          agent: {
-            select: { id: true, name: true },
-          },
-        },
-      },
-    },
-  })
-
-  if (!project) {
-    return notFound("Project not found.")
-  }
-
-  const agents = agentIds.length
-    ? await prisma.agent.findMany({
-        where: {
-          id: { in: agentIds },
-          companyId: project.companyId,
-          company: { userId: session.userId },
-        },
-        select: { id: true, name: true },
-      })
-    : []
-
-  if (agents.length !== agentIds.length) {
-    return badRequest("Project agent not found.")
-  }
-
-  const previousAgentIds = new Set(project.agents.map(({ agent }) => agent.id))
-  const nextAgentIds = new Set(agentIds)
-  const removedAgentNames = project.agents
-    .filter(({ agent }) => !nextAgentIds.has(agent.id))
-    .map(({ agent }) => agent.name)
-  const addedAgentNames = agents
-    .filter((agent) => !previousAgentIds.has(agent.id))
-    .map((agent) => agent.name)
-
-  const projectAgents = await prisma.$transaction(async (tx: typeof prisma) => {
-    await tx.projectAgent.deleteMany({
-      where: {
-        projectId: project.id,
-        agentId: { notIn: agentIds },
-      },
-    })
-
-    if (agentIds.length) {
-      await tx.projectAgent.createMany({
-        data: agentIds.map((agentId) => ({ projectId: project.id, agentId })),
-        skipDuplicates: true,
-      })
-    }
-
-    return tx.projectAgent.findMany({
-      where: { projectId: project.id },
-      orderBy: { agent: { name: "asc" } },
-      select: projectAgentSelect,
-    })
-  })
-
-  await createAuditLog({
-    companyId: project.companyId,
-    action: "project.agents.updated",
-    target: { type: "project", id: project.id, name: project.name },
-    actor: { type: "user", id: session.userId, name: session.username },
-    details: formatProjectAgentChanges(addedAgentNames, removedAgentNames),
-  })
-
-  return NextResponse.json({
-    statusCode: 200,
-    projectAgents: serializeProjectAgents(projectAgents),
-  })
-}
-
-function parseStringIds(value: unknown) {
-  if (!Array.isArray(value)) return null
-
-  const ids = value.filter((item): item is string => typeof item === "string" && Boolean(item))
-
-  return ids.length === value.length ? Array.from(new Set(ids)) : null
-}
-
-function formatProjectAgentChanges(added: string[], removed: string[]) {
-  const changes = [
-    added.length ? `Added ${added.join(", ")}` : null,
-    removed.length ? `Removed ${removed.join(", ")}` : null,
-  ].filter(Boolean)
-
-  return changes.length ? `${changes.join("; ")}.` : "Project agents unchanged."
-}
diff --git a/apps/web/app/api/internal/projects/[projectId]/archive-done/route.ts b/apps/web/app/api/internal/projects/[projectId]/archive-done/route.ts
deleted file mode 100644
index dc036f4..0000000
--- a/apps/web/app/api/internal/projects/[projectId]/archive-done/route.ts
+++ /dev/null
@@ -1,53 +0,0 @@
-import { NextResponse } from "next/server"
-
-import { Status } from "@/generated/prisma/enums"
-import { createAuditLog } from "@/lib/api/audit-log"
-import { notFound, requireInternalSession } from "@/lib/api/internal"
-import { prisma } from "@/lib/prisma"
-
-type RouteContext = {
-  params: Promise<{ projectId: string }>
-}
-
-export async function POST(_request: Request, { params }: RouteContext) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const { projectId } = await params
-  const project = await prisma.project.findFirst({
-    where: {
-      id: projectId,
-      company: { userId: session.userId },
-    },
-    select: { id: true, companyId: true, name: true },
-  })
-
-  if (!project) {
-    return notFound("Project not found.")
-  }
-
-  const archivedAt = new Date()
-  const result = await prisma.task.updateMany({
-    where: {
-      projectId: project.id,
-      status: Status.done,
-      archivedAt: null,
-    },
-    data: { archivedAt },
-  })
-
-  await createAuditLog({
-    companyId: project.companyId,
-    action: "project.tasks.archived",
-    target: { type: "project", id: project.id, name: project.name },
-    actor: { type: "user", id: session.userId, name: session.username },
-    details: `Archived ${result.count} done task${result.count === 1 ? "" : "s"}.`,
-  })
-
-  return NextResponse.json({
-    statusCode: 200,
-    archivedCount: result.count,
-    archivedAt: archivedAt.toISOString(),
-  })
-}
diff --git a/apps/web/app/api/internal/projects/[projectId]/route.ts b/apps/web/app/api/internal/projects/[projectId]/route.ts
deleted file mode 100644
index 156ece0..0000000
--- a/apps/web/app/api/internal/projects/[projectId]/route.ts
+++ /dev/null
@@ -1,387 +0,0 @@
-import { NextResponse } from "next/server"
-
-import { Status } from "@/generated/prisma/enums"
-import { createAuditLog, formatChangedFields } from "@/lib/api/audit-log"
-import {
-  cacheJson,
-  cacheKey,
-  cacheStatusHeader,
-  cacheTtl,
-  getCompanyCacheVersion,
-  getProjectCacheVersion,
-  invalidateProjectAndCompanyCache,
-} from "@/lib/api/cache"
-import {
-  projectAgentSelect,
-  serializeProjectAgents,
-} from "@/lib/api/project-agents"
-import {
-  badRequest,
-  notFound,
-  requireInternalSession,
-} from "@/lib/api/internal"
-import {
-  appendServerTiming,
-  formatServerTimingMetric,
-  startServerTiming,
-} from "@/lib/api/server-timing"
-import { prisma } from "@/lib/prisma"
-
-type RouteContext = {
-  params: Promise<{ projectId: string }>
-}
-
-export async function GET(_request: Request, { params }: RouteContext) {
-  const totalTiming = startServerTiming("ab-project-detail", "total")
-  const { session, response: authResponse } = await requireInternalSession()
-
-  if (authResponse) return authResponse
-
-  const { projectId } = await params
-  const projectQueryTiming = startServerTiming("ab-project-shell", "project shell")
-  const projectShell = await prisma.project.findFirst({
-    where: {
-      id: projectId,
-      company: { userId: session.userId },
-    },
-    select: {
-      id: true,
-      companyId: true,
-      name: true,
-      description: true,
-      company: {
-        select: {
-          id: true,
-          name: true,
-          agents: {
-            orderBy: { name: "asc" },
-            select: {
-              id: true,
-              AgentId: true,
-              name: true,
-              position: true,
-            },
-          },
-        },
-      },
-      agents: {
-        orderBy: { agent: { name: "asc" } },
-        select: projectAgentSelect,
-      },
-    },
-  })
-
-  const projectTiming = formatServerTimingMetric(projectQueryTiming)
-
-  if (!projectShell) {
-    return notFound("Project not found.")
-  }
-
-  const companyVersion = await getCompanyCacheVersion(projectShell.companyId)
-  const projectVersion = await getProjectCacheVersion(projectShell.id)
-  const cacheResult = await cacheJson(
-    cacheKey([
-      "internal",
-      "project-detail",
-      session.userId,
-      projectShell.companyId,
-      projectShell.id,
-      companyVersion,
-      projectVersion,
-    ]),
-    cacheTtl.projectDetail,
-    async () => {
-      const project = projectShell
-      const tasksTiming = startServerTiming("ab-project-tasks", "task cards")
-      const tasks = await prisma.task.findMany({
-        where: { projectId: project.id, archivedAt: null },
-        orderBy: { name: "asc" },
-        select: {
-          id: true,
-          name: true,
-          note: true,
-          summaryUpdatedAt: true,
-          taskUpdatedAt: true,
-          taskUpdatedById: true,
-          taskUpdatedByName: true,
-          taskUpdatedByType: true,
-          status: true,
-          blockingReason: true,
-          readMarkers: {
-            where: { status: Status.done, agent: { AgentId: "main" } },
-            select: { readAt: true },
-          },
-          assigned: {
-            select: {
-              id: true,
-              name: true,
-              position: true,
-            },
-          },
-        },
-      })
-      const taskIds = tasks.map((task) => task.id)
-      const tasksHeaderTiming = formatServerTimingMetric(tasksTiming)
-
-      const metadataTiming = startServerTiming(
-        "ab-project-task-meta",
-        "read/dependency meta"
-      )
-      const [readCounts, dependencyEdges] = taskIds.length
-        ? await Promise.all([
-            prisma.taskReadMarker.groupBy({
-              by: ["taskId", "status"],
-              where: { taskId: { in: taskIds } },
-              _count: { _all: true },
-            }),
-            prisma.taskDependency.findMany({
-              where: {
-                OR: [
-                  { blockedTaskId: { in: taskIds } },
-                  { dependencyTaskId: { in: taskIds } },
-                ],
-              },
-              orderBy: { createdAt: "asc" },
-              select: {
-                blockedTaskId: true,
-                dependencyTaskId: true,
-                blockedTask: {
-                  select: {
-                    id: true,
-                    name: true,
-                    status: true,
-                    archivedAt: true,
-                  },
-                },
-                dependencyTask: {
-                  select: {
-                    id: true,
-                    name: true,
-                    status: true,
-                    archivedAt: true,
-                  },
-                },
-              },
-            }),
-          ])
-        : [[], []]
-      const metadataHeaderTiming = formatServerTimingMetric(metadataTiming)
-
-      const readCountByTaskStatus = new Map<string, number>()
-      for (const readCount of readCounts) {
-        readCountByTaskStatus.set(
-          `${readCount.taskId}:${readCount.status}`,
-          readCount._count._all
-        )
-      }
-
-      const dependenciesByTask = new Map<
-        string,
-        Array<{
-          dependencyTask: {
-            id: string
-            name: string
-            status: (typeof tasks)[number]["status"]
-          }
-        }>
-      >()
-      const unblocksByTask = new Map<
-        string,
-        Array<{
-          blockedTask: {
-            id: string
-            name: string
-            status: (typeof tasks)[number]["status"]
-          }
-        }>
-      >()
-      for (const edge of dependencyEdges) {
-        if (edge.blockedTask.archivedAt || edge.dependencyTask.archivedAt) {
-          continue
-        }
-
-        const blockedByDependencies =
-          dependenciesByTask.get(edge.blockedTaskId) ?? []
-        blockedByDependencies.push({ dependencyTask: edge.dependencyTask })
-        dependenciesByTask.set(edge.blockedTaskId, blockedByDependencies)
-
-        const unblocksDependencies =
-          unblocksByTask.get(edge.dependencyTaskId) ?? []
-        unblocksDependencies.push({ blockedTask: edge.blockedTask })
-        unblocksByTask.set(edge.dependencyTaskId, unblocksDependencies)
-      }
-
-      return {
-        body: {
-          statusCode: 200,
-          project: {
-            ...project,
-            projectAgents: serializeProjectAgents(project.agents),
-            agents: undefined,
-            tasks: tasks.map((task) => {
-              const { note, readMarkers, ...taskCard } = task
-              const dependencies =
-                dependenciesByTask
-                  .get(task.id)
-                  ?.map((dependency) => dependency.dependencyTask) ?? []
-              const unblocks =
-                unblocksByTask
-                  .get(task.id)
-                  ?.map((dependency) => dependency.blockedTask) ?? []
-              const doneReviewReadAt = readMarkers[0]?.readAt
-
-              const notePreview = compactText(note)
-              const summaryUpdatedAt = getTaskSummaryUpdatedAt({
-                note,
-                summaryUpdatedAt: task.summaryUpdatedAt,
-                taskUpdatedAt: task.taskUpdatedAt,
-              })
-
-              return {
-                ...taskCard,
-                notePreview,
-                summaryUpdatedAt,
-                blockingReason: null,
-                readCount:
-                  readCountByTaskStatus.get(`${task.id}:${task.status}`) ?? 0,
-                blockingReasonPreview: compactText(task.blockingReason),
-                dependencies: dependencies.slice(0, 3),
-                dependencyIds: dependencies.map((dependency) => dependency.id),
-                dependencyCount: dependencies.length,
-                unblocks: unblocks.slice(0, 3),
-                unblocksCount: unblocks.length,
-                isDependencyReady:
-                  dependencies.length > 0 &&
-                  dependencies.every(
-                    (dependency) => dependency.status === Status.done
-                  ),
-                isUnreadDoneSummary:
-                  task.status === Status.done &&
-                  Boolean(summaryUpdatedAt) &&
-                  (!doneReviewReadAt ||
-                    new Date(doneReviewReadAt) <
-                      new Date(summaryUpdatedAt ?? 0)),
-              }
-            }),
-          },
-        },
-        timings: [tasksHeaderTiming, metadataHeaderTiming],
-      }
-    }
-  )
-
-  const jsonResponse = NextResponse.json(cacheResult.value.body, {
-    headers: {
-      "X-AgentBridge-Cache": cacheStatusHeader(cacheResult.cacheStatus),
-    },
-  })
-  appendServerTiming(jsonResponse.headers, [
-    projectTiming,
-    ...cacheResult.value.timings,
-    totalTiming,
-  ])
-
-  return jsonResponse
-}
-
-export async function PATCH(request: Request, { params }: RouteContext) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const body = (await request.json().catch(() => null)) as {
-    name?: unknown
-  } | null
-  const name = typeof body?.name === "string" ? body.name.trim() : ""
-
-  if (!name) {
-    return badRequest("Project name is required.")
-  }
-
-  const { projectId } = await params
-  const project = await prisma.project.findFirst({
-    where: {
-      id: projectId,
-      company: { userId: session.userId },
-    },
-    select: { id: true, companyId: true, name: true },
-  })
-
-  if (!project) {
-    return notFound("Project not found.")
-  }
-
-  const updatedProject = await prisma.project.update({
-    where: { id: project.id },
-    data: { name },
-  })
-
-  await createAuditLog({
-    companyId: project.companyId,
-    action: "project.updated",
-    target: { type: "project", id: project.id, name: updatedProject.name },
-    actor: { type: "user", id: session.userId, name: session.username },
-    details: formatChangedFields([
-      project.name !== updatedProject.name && "name",
-    ]),
-  })
-  await invalidateProjectAndCompanyCache({
-    companyId: project.companyId,
-    projectId: project.id,
-  })
-
-  return NextResponse.json({ statusCode: 200, project: updatedProject })
-}
-
-function compactText(text: string | null) {
-  if (!text) return null
-
-  const compact = text.replace(/\s+/g, " ").trim()
-
-  return compact.length > 180 ? `${compact.slice(0, 177)}...` : compact
-}
-
-function getTaskSummaryUpdatedAt(task: {
-  note: string | null
-  summaryUpdatedAt: Date | null
-  taskUpdatedAt: Date
-}) {
-  if (!compactText(task.note)) return null
-
-  return task.summaryUpdatedAt ?? task.taskUpdatedAt
-}
-
-export async function DELETE(_request: Request, { params }: RouteContext) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const { projectId } = await params
-  const project = await prisma.project.findFirst({
-    where: {
-      id: projectId,
-      company: { userId: session.userId },
-    },
-    select: { id: true, companyId: true, name: true },
-  })
-
-  if (!project) {
-    return notFound("Project not found.")
-  }
-
-  await prisma.project.delete({ where: { id: project.id } })
-
-  await createAuditLog({
-    companyId: project.companyId,
-    action: "project.deleted",
-    target: { type: "project", id: project.id, name: project.name },
-    actor: { type: "user", id: session.userId, name: session.username },
-    details: "Project deleted.",
-  })
-  await invalidateProjectAndCompanyCache({
-    companyId: project.companyId,
-    projectId: project.id,
-  })
-
-  return NextResponse.json({ statusCode: 200, projectId: project.id })
-}
diff --git a/apps/web/app/api/internal/projects/route.ts b/apps/web/app/api/internal/projects/route.ts
deleted file mode 100644
index f972c49..0000000
--- a/apps/web/app/api/internal/projects/route.ts
+++ /dev/null
@@ -1,99 +0,0 @@
-import { NextRequest, NextResponse } from "next/server"
-
-import { createAuditLog } from "@/lib/api/audit-log"
-import {
-  cacheJson,
-  cacheKey,
-  cacheStatusHeader,
-  cacheTtl,
-  getCompanyCacheVersion,
-  invalidateCompanyCache,
-} from "@/lib/api/cache"
-import { badRequest, requireInternalSession } from "@/lib/api/internal"
-import { prisma } from "@/lib/prisma"
-
-export async function GET(request: NextRequest) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const companyId = request.nextUrl.searchParams.get("companyId")
-
-  if (!companyId) {
-    return badRequest("Company is required.")
-  }
-
-  const company = await prisma.company.findFirst({
-    where: { id: companyId, userId: session.userId },
-    select: { id: true },
-  })
-
-  if (!company) {
-    return badRequest("Company not found.")
-  }
-
-  const companyVersion = await getCompanyCacheVersion(companyId)
-  const { value, cacheStatus } = await cacheJson(
-    cacheKey(["internal", "projects", session.userId, companyId, companyVersion]),
-    cacheTtl.projectList,
-    async () => {
-      const projects = await prisma.project.findMany({
-        where: { companyId },
-        orderBy: { name: "asc" },
-      })
-
-      return { statusCode: 200, projects }
-    }
-  )
-
-  return NextResponse.json(value, {
-    headers: { "X-AgentBridge-Cache": cacheStatusHeader(cacheStatus) },
-  })
-}
-
-export async function POST(request: Request) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const body = (await request.json().catch(() => null)) as {
-    companyId?: unknown
-    name?: unknown
-    description?: unknown
-  } | null
-
-  const companyId = typeof body?.companyId === "string" ? body.companyId : ""
-  const name = typeof body?.name === "string" ? body.name.trim() : ""
-  const description = typeof body?.description === "string" ? body.description.trim() : ""
-
-  if (!companyId || !name) {
-    return badRequest("Company and project name are required.")
-  }
-
-  const company = await prisma.company.findFirst({
-    where: { id: companyId, userId: session.userId },
-  })
-
-  if (!company) {
-    return badRequest("Company not found.")
-  }
-
-  const project = await prisma.project.create({
-    data: {
-      companyId,
-      name,
-      description,
-    },
-  })
-
-  await createAuditLog({
-    companyId,
-    action: "project.created",
-    target: { type: "project", id: project.id, name: project.name },
-    actor: { type: "user", id: session.userId, name: session.username },
-    details: description ? "Project created with a description." : "Project created.",
-  })
-  await invalidateCompanyCache(companyId)
-
-  return NextResponse.json({ statusCode: 201, project }, { status: 201 })
-}
diff --git a/apps/web/app/api/internal/tasks/[taskId]/route.ts b/apps/web/app/api/internal/tasks/[taskId]/route.ts
deleted file mode 100644
index 18d088d..0000000
--- a/apps/web/app/api/internal/tasks/[taskId]/route.ts
+++ /dev/null
@@ -1,439 +0,0 @@
-import { NextResponse } from "next/server"
-
-import { Status } from "@/generated/prisma/enums"
-import { createAuditLog, formatChangedFields } from "@/lib/api/audit-log"
-import { hasDependencyCycle, serializeTaskDependencies } from "@/lib/api/task-dependencies"
-import { badRequest, notFound, requireInternalSession } from "@/lib/api/internal"
-import {
-  appendServerTiming,
-  startServerTiming,
-} from "@/lib/api/server-timing"
-import { userTaskUpdater } from "@/lib/api/task-updater"
-import { prisma } from "@/lib/prisma"
-
-const statuses = Object.values(Status)
-
-type RouteContext = {
-  params: Promise<{ taskId: string }>
-}
-
-export async function GET(_request: Request, { params }: RouteContext) {
-  const totalTiming = startServerTiming("ab-task-detail", "total")
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const { taskId } = await params
-  const task = await prisma.task.findFirst({
-    where: {
-      id: taskId,
-      project: { company: { userId: session.userId } },
-      archivedAt: null,
-    },
-    select: {
-      id: true,
-      name: true,
-      job: true,
-      status: true,
-      note: true,
-      summaryUpdatedAt: true,
-      blockingReason: true,
-      archivedAt: true,
-      taskUpdatedAt: true,
-      taskUpdatedById: true,
-      taskUpdatedByName: true,
-      taskUpdatedByType: true,
-      assigned: {
-        select: {
-          id: true,
-          name: true,
-          position: true,
-        },
-      },
-      readMarkers: {
-        select: {
-          agentId: true,
-          status: true,
-          readAt: true,
-          agent: {
-            select: {
-              id: true,
-              AgentId: true,
-              name: true,
-            },
-          },
-        },
-        orderBy: { readAt: "desc" },
-      },
-      blockedByDependencies: {
-        select: {
-          dependencyTask: {
-            select: {
-              id: true,
-              name: true,
-              status: true,
-            },
-          },
-        },
-        orderBy: { createdAt: "asc" },
-      },
-      unblocksDependencies: {
-        select: {
-          blockedTask: {
-            select: {
-              id: true,
-              name: true,
-              status: true,
-            },
-          },
-        },
-        orderBy: { createdAt: "asc" },
-      },
-    },
-  })
-
-  if (!task) {
-    return notFound("Task not found.")
-  }
-
-  const jsonResponse = NextResponse.json({
-    statusCode: 200,
-    task: serializeTaskDependencies(task),
-  })
-  appendServerTiming(jsonResponse.headers, [totalTiming])
-
-  return jsonResponse
-}
-
-export async function PATCH(request: Request, { params }: RouteContext) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-  const body = (await request.json().catch(() => null)) as {
-    assignedAgentId?: unknown
-    name?: unknown
-    job?: unknown
-    status?: unknown
-    note?: unknown
-    readByAgentIds?: unknown
-    dependencyIds?: unknown
-    blockingReason?: unknown
-  } | null
-  const assignedAgentId =
-    typeof body?.assignedAgentId === "string" ? body.assignedAgentId : undefined
-  const name = typeof body?.name === "string" ? body.name.trim() : undefined
-  const job = typeof body?.job === "string" ? body.job.trim() : undefined
-  const status = typeof body?.status === "string" ? body.status : undefined
-  const note = typeof body?.note === "string" ? body.note.trim() : undefined
-  const readByAgentIds = parseStringIds(body?.readByAgentIds)
-  const hasReadByAgentIds = body?.readByAgentIds !== undefined
-  const dependencyIds = parseStringIds(body?.dependencyIds)
-  const hasDependencyIds = body?.dependencyIds !== undefined
-  const blockingReason =
-    typeof body?.blockingReason === "string" ? body.blockingReason.trim() : undefined
-
-  if (hasReadByAgentIds && !readByAgentIds) {
-    return badRequest("Invalid read markers.")
-  }
-
-  if (hasDependencyIds && !dependencyIds) {
-    return badRequest("Invalid dependency tasks.")
-  }
-
-  if (status && !statuses.includes(status as Status)) {
-    return badRequest("Invalid task status.")
-  }
-
-  if (name === "" || job === "") {
-    return badRequest("Task name and job are required.")
-  }
-
-  if (
-    !assignedAgentId &&
-    !name &&
-    !job &&
-    !status &&
-    note === undefined &&
-    !hasReadByAgentIds &&
-    !hasDependencyIds &&
-    blockingReason === undefined
-  ) {
-    return badRequest("No task changes provided.")
-  }
-
-  const { taskId } = await params
-  const task = await prisma.task.findFirst({
-    where: {
-      id: taskId,
-      project: { company: { userId: session.userId } },
-      archivedAt: null,
-    },
-    select: {
-      id: true,
-      name: true,
-      job: true,
-      note: true,
-      status: true,
-      blockingReason: true,
-      assignedAgentId: true,
-      projectId: true,
-      project: { select: { companyId: true } },
-      assigned: { select: { name: true } },
-      blockedByDependencies: { select: { dependencyTaskId: true } },
-    },
-  })
-
-  if (!task) {
-    return notFound("Task not found.")
-  }
-
-  if (assignedAgentId && assignedAgentId !== task.assignedAgentId) {
-    const projectAgent = await prisma.projectAgent.findFirst({
-      where: {
-        projectId: task.projectId,
-        agentId: assignedAgentId,
-        project: { company: { userId: session.userId } },
-      },
-      select: { agentId: true },
-    })
-
-    if (!projectAgent) {
-      return badRequest("Agent is not assigned to this project.")
-    }
-  }
-
-  if (hasDependencyIds && dependencyIds?.includes(task.id)) {
-    return badRequest("Task cannot depend on itself.")
-  }
-
-  if (hasDependencyIds && dependencyIds?.length) {
-    const dependencyTasks = await prisma.task.findMany({
-      where: {
-        id: { in: dependencyIds },
-        projectId: task.projectId,
-        archivedAt: null,
-        project: { company: { userId: session.userId } },
-      },
-      select: { id: true },
-    })
-
-    if (dependencyTasks.length !== dependencyIds.length) {
-      return badRequest("Dependency task not found.")
-    }
-
-    const projectDependencies = await prisma.taskDependency.findMany({
-      where: { blockedTask: { projectId: task.projectId, archivedAt: null } },
-      select: { blockedTaskId: true, dependencyTaskId: true },
-    })
-
-    if (hasDependencyCycle(projectDependencies, task.id, dependencyIds)) {
-      return badRequest("Task dependencies cannot create a cycle.")
-    }
-  }
-
-  if (hasReadByAgentIds && readByAgentIds?.length) {
-    const readAgents = await prisma.agent.findMany({
-      where: {
-        id: { in: readByAgentIds },
-        company: { userId: session.userId },
-      },
-      select: { id: true },
-    })
-
-    if (readAgents.length !== readByAgentIds.length) {
-      return badRequest("Read marker agent not found.")
-    }
-  }
-
-  const nextStatus = (status as Status | undefined) ?? task.status
-  const statusChanged = nextStatus !== task.status
-  const noteChanged = note !== undefined && (note || null) !== task.note
-  const shouldClearNextStatusReads = !hasReadByAgentIds && (statusChanged || noteChanged)
-  const updatedTask = await prisma.$transaction(async (tx: typeof prisma) => {
-    if (hasReadByAgentIds) {
-      await tx.taskReadMarker.deleteMany({
-        where: {
-          taskId: task.id,
-          status: nextStatus,
-          agentId: { notIn: readByAgentIds ?? [] },
-        },
-      })
-
-      if (readByAgentIds?.length) {
-        await Promise.all(
-          readByAgentIds.map((agentId) =>
-            tx.taskReadMarker.upsert({
-              where: {
-                taskId_agentId_status: {
-                  taskId: task.id,
-                  agentId,
-                  status: nextStatus,
-                },
-              },
-              create: {
-                taskId: task.id,
-                agentId,
-                status: nextStatus,
-              },
-              update: { readAt: new Date() },
-            })
-          )
-        )
-      }
-    }
-
-    if (shouldClearNextStatusReads) {
-      await tx.taskReadMarker.deleteMany({ where: { taskId: task.id, status: nextStatus } })
-    }
-
-    if (hasDependencyIds) {
-      await tx.taskDependency.deleteMany({ where: { blockedTaskId: task.id } })
-
-      if (dependencyIds?.length) {
-        await tx.taskDependency.createMany({
-          data: dependencyIds.map((dependencyTaskId) => ({
-            blockedTaskId: task.id,
-            dependencyTaskId,
-          })),
-        })
-      }
-    }
-
-    return tx.task.update({
-      where: { id: task.id },
-      data: {
-        ...(assignedAgentId ? { assignedAgentId } : {}),
-        ...(name ? { name } : {}),
-        ...(job ? { job } : {}),
-        ...(status ? { status: status as Status } : {}),
-        ...(noteChanged
-          ? { note: note || null, summaryUpdatedAt: note ? new Date() : null }
-          : {}),
-        ...(blockingReason !== undefined ? { blockingReason: blockingReason || null } : {}),
-        ...userTaskUpdater({ id: session.userId, name: session.username }),
-      },
-      select: {
-        id: true,
-        name: true,
-        job: true,
-        status: true,
-        note: true,
-        summaryUpdatedAt: true,
-        blockingReason: true,
-        archivedAt: true,
-        taskUpdatedAt: true,
-        taskUpdatedById: true,
-        taskUpdatedByName: true,
-        taskUpdatedByType: true,
-        assigned: {
-          select: {
-            id: true,
-            name: true,
-            position: true,
-          },
-        },
-        readMarkers: {
-          select: {
-            agentId: true,
-            status: true,
-            readAt: true,
-            agent: {
-              select: {
-                id: true,
-                AgentId: true,
-                name: true,
-              },
-            },
-          },
-          orderBy: { readAt: "desc" },
-        },
-        blockedByDependencies: {
-          select: {
-            dependencyTask: {
-              select: {
-                id: true,
-                name: true,
-                status: true,
-              },
-            },
-          },
-          orderBy: { createdAt: "asc" },
-        },
-        unblocksDependencies: {
-          select: {
-            blockedTask: {
-              select: {
-                id: true,
-                name: true,
-                status: true,
-              },
-            },
-          },
-          orderBy: { createdAt: "asc" },
-        },
-      },
-    })
-  })
-
-  await createAuditLog({
-    companyId: task.project.companyId,
-    action: status && status !== task.status ? "task.status_changed" : "task.updated",
-    target: { type: "task", id: task.id, name: updatedTask.name },
-    actor: { type: "user", id: session.userId, name: session.username },
-    details: formatChangedFields([
-      name && name !== task.name && "name",
-      job && job !== task.job && "job",
-      status && status !== task.status && `status (${task.status} → ${status})`,
-      assignedAgentId && assignedAgentId !== task.assignedAgentId && "assignee",
-      noteChanged && "result note",
-      hasReadByAgentIds && "read markers",
-      hasDependencyIds && "dependencies",
-      blockingReason !== undefined &&
-        (blockingReason || null) !== task.blockingReason &&
-        "blocking reason",
-    ]),
-  })
-
-  return NextResponse.json({ statusCode: 200, task: serializeTaskDependencies(updatedTask) })
-}
-
-function parseStringIds(value: unknown) {
-  if (value === undefined) return []
-  if (!Array.isArray(value)) return null
-
-  const ids = value.filter((item): item is string => typeof item === "string" && Boolean(item))
-
-  return ids.length === value.length ? Array.from(new Set(ids)) : null
-}
-
-export async function DELETE(_request: Request, { params }: RouteContext) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const { taskId } = await params
-  const task = await prisma.task.findFirst({
-    where: {
-      id: taskId,
-      project: { company: { userId: session.userId } },
-      archivedAt: null,
-    },
-    select: { id: true, name: true, project: { select: { companyId: true } } },
-  })
-
-  if (!task) {
-    return notFound("Task not found.")
-  }
-
-  await prisma.task.delete({ where: { id: task.id } })
-
-  await createAuditLog({
-    companyId: task.project.companyId,
-    action: "task.deleted",
-    target: { type: "task", id: task.id, name: task.name },
-    actor: { type: "user", id: session.userId, name: session.username },
-    details: "Task deleted.",
-  })
-
-  return NextResponse.json({ statusCode: 200, taskId: task.id })
-}
diff --git a/apps/web/app/api/internal/tasks/route.ts b/apps/web/app/api/internal/tasks/route.ts
deleted file mode 100644
index 0ce9a74..0000000
--- a/apps/web/app/api/internal/tasks/route.ts
+++ /dev/null
@@ -1,186 +0,0 @@
-import { NextResponse } from "next/server"
-
-import { Status } from "@/generated/prisma/enums"
-import { createAuditLog } from "@/lib/api/audit-log"
-import { serializeTaskDependencies } from "@/lib/api/task-dependencies"
-import { badRequest, requireInternalSession } from "@/lib/api/internal"
-import { userTaskUpdater } from "@/lib/api/task-updater"
-import { prisma } from "@/lib/prisma"
-
-const statuses = Object.values(Status)
-
-export async function POST(request: Request) {
-  const { session, response } = await requireInternalSession()
-
-  if (response) return response
-
-  const body = (await request.json().catch(() => null)) as {
-    projectId?: unknown
-    assignedAgentId?: unknown
-    name?: unknown
-    job?: unknown
-    status?: unknown
-    note?: unknown
-    readByAgentIds?: unknown
-    dependencyIds?: unknown
-    blockingReason?: unknown
-  } | null
-
-  const projectId = typeof body?.projectId === "string" ? body.projectId : ""
-  const assignedAgentId = typeof body?.assignedAgentId === "string" ? body.assignedAgentId : ""
-  const name = typeof body?.name === "string" ? body.name.trim() : ""
-  const job = typeof body?.job === "string" ? body.job.trim() : ""
-  const status = typeof body?.status === "string" ? body.status : "todo"
-  const note = typeof body?.note === "string" ? body.note.trim() : ""
-  const blockingReason =
-    typeof body?.blockingReason === "string" ? body.blockingReason.trim() : ""
-
-  if (!projectId || !assignedAgentId || !name || !job) {
-    return badRequest("Project, agent, name, and job are required.")
-  }
-
-  if (!statuses.includes(status as Status)) {
-    return badRequest("Invalid task status.")
-  }
-
-  const readByAgentIds = parseStringIds(body?.readByAgentIds)
-  const dependencyIds = parseStringIds(body?.dependencyIds)
-
-  if (!readByAgentIds) {
-    return badRequest("Invalid read markers.")
-  }
-
-  if (!dependencyIds) {
-    return badRequest("Invalid dependency tasks.")
-  }
-
-  const project = await prisma.project.findFirst({
-    where: {
-      id: projectId,
-      company: { userId: session.userId },
-    },
-    select: {
-      id: true,
-      companyId: true,
-      tasks: {
-        where: { id: { in: dependencyIds }, archivedAt: null },
-        select: { id: true },
-      },
-      company: {
-        select: {
-          agents: {
-            where: { id: { in: readByAgentIds } },
-            select: { id: true },
-          },
-        },
-      },
-      agents: {
-        where: { agentId: assignedAgentId },
-        select: { agentId: true },
-      },
-    },
-  })
-
-  if (!project) {
-    return badRequest("Project or agent not found.")
-  }
-
-  if (!project.agents.length) {
-    return badRequest("Agent is not assigned to this project.")
-  }
-
-  if (project.company.agents.length !== readByAgentIds.length) {
-    return badRequest("Read marker agent not found.")
-  }
-
-  if (project.tasks.length !== dependencyIds.length) {
-    return badRequest("Dependency task not found.")
-  }
-
-  const task = await prisma.task.create({
-    data: {
-      projectId,
-      assignedAgentId,
-      name,
-      job,
-      status: status as Status,
-      note: note || null,
-      summaryUpdatedAt: note ? new Date() : null,
-      blockingReason: blockingReason || null,
-      ...userTaskUpdater({ id: session.userId, name: session.username }),
-      readMarkers: {
-        create: readByAgentIds.map((agentId) => ({
-          agentId,
-          status: status as Status,
-        })),
-      },
-      blockedByDependencies: {
-        create: dependencyIds.map((dependencyTaskId) => ({ dependencyTaskId })),
-      },
-    },
-    include: {
-      assigned: {
-        select: {
-          id: true,
-          name: true,
-          position: true,
-        },
-      },
-      readMarkers: {
-        select: {
-          agentId: true,
-          status: true,
-          readAt: true,
-          agent: {
-            select: {
-              id: true,
-              AgentId: true,
-              name: true,
-            },
-          },
-        },
-      },
-      blockedByDependencies: {
-        select: {
-          dependencyTask: {
-            select: {
-              id: true,
-              name: true,
-              status: true,
-            },
-          },
-        },
-      },
-      unblocksDependencies: {
-        select: {
-          blockedTask: {
-            select: {
-              id: true,
-              name: true,
-              status: true,
-            },
-          },
-        },
-      },
-    },
-  })
-
-  await createAuditLog({
-    companyId: project.companyId,
-    action: "task.created",
-    target: { type: "task", id: task.id, name: task.name },
-    actor: { type: "user", id: session.userId, name: session.username },
-    details: `Created as ${task.status} and assigned to ${task.assigned.name}${dependencyIds.length ? ` with ${dependencyIds.length} dependencies` : ""}.`,
-  })
-
-  return NextResponse.json({ statusCode: 201, task: serializeTaskDependencies(task) }, { status: 201 })
-}
-
-function parseStringIds(value: unknown) {
-  if (value === undefined) return []
-  if (!Array.isArray(value)) return null
-
-  const ids = value.filter((item): item is string => typeof item === "string" && Boolean(item))
-
-  return ids.length === value.length ? Array.from(new Set(ids)) : null
-}
diff --git a/apps/web/lib/api/client.ts b/apps/web/lib/api/client.ts
deleted file mode 100644
index 5a884c9..0000000
--- a/apps/web/lib/api/client.ts
+++ /dev/null
@@ -1,16 +0,0 @@
-export async function apiJson<T>(input: RequestInfo | URL, init?: RequestInit): Promise<T> {
-  const response = await fetch(input, {
-    ...init,
-    headers: {
-      "Content-Type": "application/json",
-      ...init?.headers,
-    },
-  })
-  const data = (await response.json().catch(() => null)) as T & { error?: string }
-
-  if (!response.ok) {
-    throw new Error(data?.error ?? "Request failed")
-  }
-
-  return data
-}