diff --git a/api/auth.py b/api/auth.py
index be2b1d5..94e4438 100644
--- a/api/auth.py
+++ b/api/auth.py
@@ -57,7 +57,7 @@ def _hash_password(password):
     return dk.hex()
 
 
-def get_password_hash() -> bool:
+def get_password_hash() -> str | None:
     """Return the active password hash, or None if auth is disabled.
     Priority: env var > settings.json."""
     env_pw = os.getenv('HERMES_WEBUI_PASSWORD', '').strip()
@@ -110,7 +110,7 @@ def invalidate_session(cookie_value) -> None:
         _sessions.pop(token, None)
 
 
-def parse_cookie(handler) -> None:
+def parse_cookie(handler) -> str | None:
     """Extract the auth cookie from the request headers."""
     cookie_header = handler.headers.get('Cookie', '')
     if not cookie_header:
diff --git a/api/models.py b/api/models.py
index a98cd60..b5fb216 100644
--- a/api/models.py
+++ b/api/models.py
@@ -34,13 +34,13 @@ def _write_session_index():
 
 
 class Session:
-    def __init__(self, session_id: int=None, title: str='Untitled',
+    def __init__(self, session_id: str=None, title: str='Untitled',
                  workspace=str(DEFAULT_WORKSPACE), model=DEFAULT_MODEL,
                  messages=None, created_at=None, updated_at=None,
                  tool_calls=None, pinned: bool=False, archived: bool=False,
-                 project_id: int=None, profile=None,
+                 project_id: str=None, profile=None,
                  input_tokens: int=0, output_tokens: int=0, estimated_cost=None,
-                 **kwargs: dict):
+                 **kwargs):
         self.session_id = session_id or uuid.uuid4().hex[:12]
         self.title = title
         self.workspace = str(Path(workspace).expanduser().resolve())
@@ -70,7 +70,7 @@ class Session:
         _write_session_index()
 
     @classmethod
-    def load(cls, sid) -> None:
+    def load(cls, sid):
         p = SESSION_DIR / f'{sid}.json'
         if not p.exists():
             return None
@@ -194,7 +194,7 @@ def save_projects(projects) -> None:
     PROJECTS_FILE.write_text(json.dumps(projects, ensure_ascii=False, indent=2), encoding='utf-8')
 
 
-def import_cli_session(session_id: int, title: str, messages, model: str='unknown', profile=None):
+def import_cli_session(session_id: str, title: str, messages, model: str='unknown', profile=None):
     """Create a new WebUI session populated with CLI messages.
     Returns the Session object.
     """
diff --git a/api/state_sync.py b/api/state_sync.py
index fb3e68d..244e06f 100644
--- a/api/state_sync.py
+++ b/api/state_sync.py
@@ -43,7 +43,7 @@ def _get_state_db():
         return None
 
 
-def sync_session_start(session_id: int, model=None) -> None:
+def sync_session_start(session_id: str, model=None) -> None:
     """Register a WebUI session in state.db (idempotent).
     Called when a session's first message is sent.
     """
@@ -65,7 +65,7 @@ def sync_session_start(session_id: int, model=None) -> None:
             pass
 
 
-def sync_session_usage(session_id: int, input_tokens: int=0, output_tokens: int=0,
+def sync_session_usage(session_id: str, input_tokens: int=0, output_tokens: int=0,
                        estimated_cost=None, model=None, title: str=None) -> None:
     """Update token usage and title for a WebUI session in state.db.
     Called after each turn completes. Uses absolute=True to set totals