feat(voice): tool endpoints, timer widget, clean Siri-style overlay

Adds the infrastructure for Claude tool use + visual timer.

Tablet API surface (all bearer-authed with VOICE_API_KEY, middleware bypassed):
- /api/voice/tools/weather    — current + short forecast via Open-Meteo
- /api/voice/tools/transport  — tram arrivals by direction / route filter
- /api/voice/tools/events     — Google Calendar today/week
- /api/voice/tools/notes      — notes + shopping lists
- /api/voice/timer            — start (with seconds+label), cancel; GET list (cookie ok)
  Active timers persisted at /data/tablet-timers.json

UI:
- VoiceOverlay stripped to minimal Siri look: no agent emoji/name, just the
  pulsing orb (3-layer radial gradient, independent breath animations),
  subtle status label on wake only, transcription/response text centered.
  Agents distinguished by orb color (Cosmo indigo/violet, Люся pink).
- TimerWidget: bottom-right chip stack with countdown, progress bar, turns
  amber in last 10s. On expiry, fires fullscreen alarm overlay with beep
  (WebAudio osc) + Остановить button.

Other:
- lib/timers.ts — persistent timer store in /data
- lib/voice-tools.ts — shared bearer-auth helper
- middleware — bypass list now covers /api/voice/tools/* and /api/voice/timer

app/api/voice/timer/route.ts

@@ -0,0 +1,64 @@
+export const dynamic = 'force-dynamic'
+export const runtime = 'nodejs'
+
+import { NextResponse } from 'next/server'
+import { voiceBus } from '@/lib/voice-bus'
+import { addTimer, removeTimer, listActive } from '@/lib/timers'
+
+function bearerOk(req: Request): boolean {
+  const expected = process.env.VOICE_API_KEY
+  if (!expected) return false
+  const auth = req.headers.get('authorization') || ''
+  const token = auth.replace(/^Bearer\s+/i, '').trim()
+  return token === expected
+}
+
+export async function GET(req: Request) {
+  // Browser (cookie auth via middleware) will reach here — listing is public to logged-in user.
+  // Script with bearer can also GET it.
+  return NextResponse.json({ timers: listActive() })
+}
+
+export async function POST(req: Request) {
+  if (!bearerOk(req)) {
+    return NextResponse.json({ error: 'unauthorized' }, { status: 401 })
+  }
+
+  const body = await req.json().catch(() => null)
+  if (!body || typeof body.action !== 'string') {
+    return NextResponse.json({ error: 'action required' }, { status: 400 })
+  }
+
+  if (body.action === 'start') {
+    const seconds = Number(body.seconds)
+    const label = typeof body.label === 'string' ? body.label.slice(0, 80) : 'Таймер'
+    const agent = body.agent === 'lusya' ? 'lusya' : 'cosmo'
+    if (!Number.isFinite(seconds) || seconds < 1 || seconds > 24 * 3600) {
+      return NextResponse.json({ error: 'seconds must be 1..86400' }, { status: 400 })
+    }
+    const endsAt = new Date(Date.now() + seconds * 1000).toISOString()
+    const t = addTimer({ label, endsAt, agent })
+    voiceBus.emit('voice', {
+      event: 'timer_start',
+      timer: t,
+      timestamp: new Date().toISOString(),
+    })
+    return NextResponse.json({ timer: t })
+  }
+
+  if (body.action === 'cancel') {
+    const id = typeof body.id === 'string' ? body.id : ''
+    if (!id) return NextResponse.json({ error: 'id required' }, { status: 400 })
+    const ok = removeTimer(id)
+    if (ok) {
+      voiceBus.emit('voice', {
+        event: 'timer_cancel',
+        id,
+        timestamp: new Date().toISOString(),
+      })
+    }
+    return NextResponse.json({ cancelled: ok })
+  }
+
+  return NextResponse.json({ error: `unknown action: ${body.action}` }, { status: 400 })
+}