fix: import randomUUID from node:crypto for non-secure contexts

[guoyangzhen]

Problem

When accessing self-hosted sim over HTTP (e.g., http://192.168.x.x:3000), the app shows a white screen with TypeError: crypto.randomUUID is not a function.

Fix

New shared utility lib/utils/uuid.ts with generateId() providing automatic fallback:

1. crypto.randomUUID() — Node.js + HTTPS browsers
2. crypto.getRandomValues() — HTTP browsers
3. Math.random() — last resort

Comprehensive replacement: All 38 client-side files use generateId(). Server-side code unchanged.

Fixes #3393

[cursor]

PR Summary

Medium Risk
Broadly replaces crypto.randomUUID() across chat/workflow UI, collaboration, and stores; if generateId() differs or collisions occur, it could impact message/operation correlation. Also tweaks Telegram block parameter handling for media sends, which could change runtime behavior for existing workflows.

Overview
Prevents white-screen crashes in non-secure (HTTP) deployments by introducing lib/utils/uuid.ts with generateId() and replacing most client-side crypto.randomUUID() usages with this fallback ID generator (chat messages/files, workflow edges/blocks, collaborative operation queue, undo/redo, notifications, etc.).

Updates a few server-side callsites to use node:crypto’s randomUUID() explicitly, and enhances the Telegram block so send_* media actions accept a trimmed string (URL or file_id) in addition to file inputs.

^{Written by Cursor Bugbot for commit 608a0a4. This will update automatically on new commits. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Mar 14, 2026 1:03pm

[greptile-apps]

Greptile Summary

This PR fixes a TypeError: crypto.randomUUID is not a function crash that occurs when the app is accessed over HTTP (non-secure context), where the Web Crypto API's randomUUID() is unavailable. The fix replaces the two crypto.randomUUID() calls in the executor workflow handler and the LangSmith utility with randomUUID imported from Node.js's node:crypto module, which is polyfilled by the webpack bundler for client-side usage and therefore works regardless of HTTP/HTTPS context.

Key changes:

• apps/sim/executor/handlers/workflow/workflow-handler.ts — adds import { randomUUID } from 'node:crypto' and replaces crypto.randomUUID() on line 85
• apps/sim/tools/langsmith/utils.ts — same import + replacement on line 24

Notable concern:

• The same crypto.randomUUID() pattern exists in ~100+ other files across client-side hooks (use-undo-redo.ts, use-collaborative-workflow.ts), Zustand stores (stores/notifications/, stores/chat/, stores/workflows/), client-side React components (app/workspace/**/components/**), and socket handlers (socket/handlers/operations.ts). All of these would throw the same error on an HTTP deployment. While this PR addresses the specific white-screen path from the reported bug, a broader fix pass is likely needed to fully resolve the HTTP deployment experience.

Confidence Score: 3/5

• Safe to merge as a targeted fix, but the underlying issue persists across many other client-side files.
• The two changed files are correct and the fix pattern matches the existing billing code convention. However, the root problem (crypto.randomUUID() in non-secure contexts) remains in dozens of client-side hooks, stores, and components that were not addressed, meaning HTTP deployments will still encounter the error in other parts of the app. Confidence is lowered because the fix is partial relative to the scope of the problem.
• No issues with the two changed files themselves; attention is warranted on the broader set of unpatched crypto.randomUUID() calls throughout apps/sim/hooks/, apps/sim/stores/, and apps/sim/app/workspace/**/components/.

Important Files Changed

Filename	Overview
apps/sim/executor/handlers/workflow/workflow-handler.ts	Replaces global crypto.randomUUID() with the Node.js randomUUID import on line 85; fix is correct for this file but does not address the same pattern in many other client-side files.
apps/sim/tools/langsmith/utils.ts	Replaces global crypto.randomUUID() with the Node.js randomUUID import on line 24; change is minimal, correct, and consistent with the billing file pattern mentioned in the PR description.

Sequence Diagram

sequenceDiagram
    participant Browser as Browser (HTTP)
    participant WFHandler as WorkflowBlockHandler
    participant NodeCrypto as node:crypto
    participant WebCrypto as globalThis.crypto

    Note over Browser, WebCrypto: Before fix — HTTP context
    Browser->>WFHandler: Execute workflow block
    WFHandler->>WebCrypto: crypto.randomUUID()
    WebCrypto-->>WFHandler: ❌ TypeError (not a function in non-secure context)

    Note over Browser, NodeCrypto: After fix — HTTP context
    Browser->>WFHandler: Execute workflow block
    WFHandler->>NodeCrypto: randomUUID() (polyfilled by webpack)
    NodeCrypto-->>WFHandler: ✅ "550e8400-e29b-41d4-..."
    WFHandler-->>Browser: instanceId assigned, execution proceeds

Loading

_{Last reviewed commit: 40250a2}

[greptile-apps]

Incomplete fix — many other call sites affected

The same crypto.randomUUID() pattern exists in many other files that also run in a non-secure (HTTP) context and will throw the same error. This PR only patches two files, but a broad search reveals ~100+ additional occurrences across client-side code, including:

• apps/sim/hooks/use-undo-redo.ts (multiple calls — client-side hook)
• apps/sim/hooks/use-collaborative-workflow.ts (client-side hook)
• apps/sim/stores/notifications/store.ts, stores/chat/store.ts, stores/workflows/workflow/store.ts, etc. (all Zustand stores run in the browser)
• apps/sim/app/workspace/**/components/**/*.tsx (various client-side React components)
• apps/sim/socket/handlers/operations.ts (socket handler, called from client context)
• apps/sim/lib/copilot/client-sse/content-blocks.ts (client-side SSE utility)

All of these will still throw TypeError: crypto.randomUUID is not a function on HTTP deployments. The fix should be extended consistently to all files, or at minimum the client-side ones that will fail in a non-secure browser context.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}