refactor: replace crypto.randomUUID with generateUUID utility

[stefandevo]

Summary

• Replace direct crypto.randomUUID() calls with centralized generateUUID() utility in spec editor components
• Simplify generateUUID() to always use crypto.getRandomValues() which works in all contexts including non-secure HTTP (Docker)

Changes

• array-field-editor.tsx: Use generateUUID from @/lib/utils
• features-section.tsx: Use generateUUID from @/lib/utils
• roadmap-section.tsx: Use generateUUID from @/lib/utils
• utils.ts: Simplify generateUUID() to always use crypto.getRandomValues()

Why

crypto.randomUUID() requires a secure context (HTTPS or localhost). When running in Docker via plain HTTP, it throws an error. Using crypto.getRandomValues() directly works in all modern browsers regardless of secure context while maintaining the same cryptographic security.

Test plan

• Build passes
• Verify spec editor works in Docker over HTTP
• Verify UUID generation in array fields, features, and roadmap sections

Summary by CodeRabbit

• Refactor
  • Consolidated ID generation into a single UUID utility and updated components to use it for all new and initial item IDs.
  • Simplified and standardized UUID creation with stronger randomness checks for more consistent behavior across the UI.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[gemini-code-assist]

Summary of Changes

Hello @stefandevo, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors the application's UUID generation mechanism to enhance robustness and compatibility. Previously, direct usage of crypto.randomUUID() caused failures in non-secure environments, such as when the UI was served via HTTP in a Docker container. By centralizing UUID generation into a dedicated utility function that exclusively leverages crypto.getRandomValues(), the application now ensures consistent and secure UUID creation across all deployment contexts, eliminating environment-specific failures.

Highlights

• Centralized UUID Generation: Replaced direct calls to crypto.randomUUID() with a new generateUUID() utility function across various spec editor components (array-field-editor.tsx, features-section.tsx, roadmap-section.tsx).
• Improved Compatibility: The generateUUID() utility has been simplified to consistently use crypto.getRandomValues(), ensuring UUID generation works reliably in all contexts, including non-secure HTTP environments like Docker.
• Resolved Docker HTTP Issue: This change specifically addresses an issue where crypto.randomUUID() would fail in non-secure contexts, preventing proper functionality when running the UI in Docker over plain HTTP.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

This PR centralizes UUID generation by replacing multiple local ID generators with a shared generateUUID() utility and updates the utility to use crypto.getRandomValues() for RFC4122 v4 UUIDs. No component APIs or external behaviors were changed. (46 words)

Changes

Cohort / File(s)	Summary
Component ID Generation Consolidation apps/ui/src/components/views/spec-view/components/edit-mode/array-field-editor.tsx, apps/ui/src/components/views/spec-view/components/edit-mode/features-section.tsx, apps/ui/src/components/views/spec-view/components/edit-mode/roadmap-section.tsx	Replaced local generateId/crypto.randomUUID usages with a centralized generateUUID() import; removed internal ID helper functions; updated item/feature/phase ID assignments to use generateUUID().
Centralized UUID Generator apps/ui/src/lib/utils.ts	Simplified generateUUID() to always use crypto.getRandomValues() to produce 16 random bytes, set UUID v4 version/variant bits, and format the UUID string; removed fallback branches and crypto.randomUUID() conditional.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through code with whiskers bright,
Replaced lone IDs with one shared light,
generateUUID hums, steady and neat,
Now every item has a tidy beat,
Hop on — the IDs all align tonight. 🎋

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: replacing crypto.randomUUID with a centralized generateUUID utility across multiple components and the utils module.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request refactors the UUID generation logic by centralizing it into a generateUUID utility function and replacing direct crypto.randomUUID() calls in several UI components. The generateUUID function has been simplified to consistently use crypto.getRandomValues() to address compatibility issues in non-secure contexts.

[gemini-code-assist]

The current implementation of generateUUID directly calls crypto.getRandomValues() without checking if the crypto object or its getRandomValues method is available. While the PR description states it works in modern browsers, it's a good defensive programming practice to include a check to prevent runtime errors in environments where crypto might be undefined or getRandomValues might be missing. Given the emphasis on cryptographic security, throwing an error is more appropriate than falling back to an insecure method if the required API is absent.

Suggested change

	const bytes = new Uint8Array(16);
	if (typeof crypto === 'undefined' || typeof crypto.getRandomValues === 'undefined') {
	throw new Error('Cryptographically secure random number generator not available.');
	}
	const bytes = new Uint8Array(16);