feat(voice): hero TimerHomeWidget + timer cancel/adjust by label

UI:
- Replace Notes column on Home bento with TimerHomeWidget. Shows all
  active timers as stacked cards with big 30px countdowns, per-timer
  +1/-1 minute buttons and cancel. Colors: indigo default, amber in
  last 10s, red when expired. Empty state suggests voice command.
- Existing chip TimerWidget (bottom-right) kept for ambient view on
  other tabs — redundant on Home, but harmless.

API:
- /api/voice/timer accepts cookie OR bearer (browser widget cancel
  works with user's auth_token cookie; Python script uses bearer).
- New action 'adjust' — shifts endsAt by delta_seconds. Clamps so
  endsAt never goes into the past.
- Cancel now supports {label} in addition to {id} (fuzzy substring
  match, most-recently-started wins). Emits timer_cancel with id+label
  so clients can refresh.
- findByLabel / adjustTimer helpers in lib/timers.ts.

app/api/voice/timer/route.ts

@@ -3,24 +3,36 @@ export const runtime = 'nodejs'
 
 import { NextResponse } from 'next/server'
 import { voiceBus } from '@/lib/voice-bus'
-import { addTimer, removeTimer, listActive } from '@/lib/timers'
+import { addTimer, removeTimer, listActive, findByLabel, adjustTimer, Timer } from '@/lib/timers'
 
-function bearerOk(req: Request): boolean {
+// Допускаем либо bearer (Python-скрипт), либо auth_token cookie (браузер планшета).
+// Cookie ↔ middleware нас bypass'ит для этого пути, проверяем вручную присутствие.
+function authorized(req: Request): boolean {
   const expected = process.env.VOICE_API_KEY
-  if (!expected) return false
   const auth = req.headers.get('authorization') || ''
-  const token = auth.replace(/^Bearer\s+/i, '').trim()
-  return token === expected
+  const bearer = auth.replace(/^Bearer\s+/i, '').trim()
+  if (expected && bearer === expected) return true
+
+  const cookie = req.headers.get('cookie') || ''
+  if (/auth_token=[a-f0-9]{32,}/i.test(cookie)) return true
+
+  return false
 }
 
-export async function GET(req: Request) {
-  // Browser (cookie auth via middleware) will reach here — listing is public to logged-in user.
-  // Script with bearer can also GET it.
+function emit(event: string, payload: Record<string, any>) {
+  voiceBus.emit('voice', {
+    event,
+    ...payload,
+    timestamp: new Date().toISOString(),
+  })
+}
+
+export async function GET() {
   return NextResponse.json({ timers: listActive() })
 }
 
 export async function POST(req: Request) {
-  if (!bearerOk(req)) {
+  if (!authorized(req)) {
     return NextResponse.json({ error: 'unauthorized' }, { status: 401 })
   }
 
@@ -29,6 +41,7 @@ export async function POST(req: Request) {
     return NextResponse.json({ error: 'action required' }, { status: 400 })
   }
 
+  // ─────────── start ───────────
   if (body.action === 'start') {
     const seconds = Number(body.seconds)
     const label = typeof body.label === 'string' ? body.label.slice(0, 80) : 'Таймер'
@@ -38,26 +51,52 @@ export async function POST(req: Request) {
     }
     const endsAt = new Date(Date.now() + seconds * 1000).toISOString()
     const t = addTimer({ label, endsAt, agent })
-    voiceBus.emit('voice', {
-      event: 'timer_start',
-      timer: t,
-      timestamp: new Date().toISOString(),
-    })
+    emit('timer_start', { timer: t })
     return NextResponse.json({ timer: t })
   }
 
+  // ─────────── cancel ───────────
   if (body.action === 'cancel') {
-    const id = typeof body.id === 'string' ? body.id : ''
-    if (!id) return NextResponse.json({ error: 'id required' }, { status: 400 })
-    const ok = removeTimer(id)
-    if (ok) {
-      voiceBus.emit('voice', {
-        event: 'timer_cancel',
-        id,
-        timestamp: new Date().toISOString(),
-      })
+    let target: Timer | null = null
+    if (typeof body.id === 'string' && body.id) {
+      target = removeTimer(body.id)
+    } else if (typeof body.label === 'string' && body.label) {
+      const found = findByLabel(body.label)
+      if (found) target = removeTimer(found.id)
+    } else {
+      return NextResponse.json({ error: 'id or label required' }, { status: 400 })
     }
-    return NextResponse.json({ cancelled: ok })
+    if (!target) {
+      return NextResponse.json({ cancelled: false, error: 'timer_not_found' }, { status: 404 })
+    }
+    emit('timer_cancel', { id: target.id, label: target.label })
+    return NextResponse.json({ cancelled: true, timer: target })
+  }
+
+  // ─────────── adjust ───────────
+  if (body.action === 'adjust') {
+    const delta = Number(body.delta_seconds)
+    if (!Number.isFinite(delta) || delta === 0) {
+      return NextResponse.json({ error: 'delta_seconds must be non-zero number' }, { status: 400 })
+    }
+    let targetId: string | null = null
+    if (typeof body.id === 'string' && body.id) {
+      targetId = body.id
+    } else if (typeof body.label === 'string' && body.label) {
+      const found = findByLabel(body.label)
+      if (found) targetId = found.id
+    } else {
+      return NextResponse.json({ error: 'id or label required' }, { status: 400 })
+    }
+    if (!targetId) {
+      return NextResponse.json({ adjusted: false, error: 'timer_not_found' }, { status: 404 })
+    }
+    const updated = adjustTimer(targetId, delta)
+    if (!updated) {
+      return NextResponse.json({ adjusted: false, error: 'timer_not_found' }, { status: 404 })
+    }
+    emit('timer_start', { timer: updated }) // переиспользуем event — виджеты перечитают
+    return NextResponse.json({ adjusted: true, timer: updated })
   }
 
   return NextResponse.json({ error: `unknown action: ${body.action}` }, { status: 400 })