npm - @lobu/gateway - Versions diffs - 3.0.5 → 3.0.6 - Mend

@lobu/gateway 3.0.5 → 3.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (175) hide show

package/package.json +2 -2
package/src/__tests__/agent-config-routes.test.ts +254 -0
package/src/__tests__/agent-history-routes.test.ts +72 -0
package/src/__tests__/agent-routes.test.ts +68 -0
package/src/__tests__/agent-schedules-routes.test.ts +59 -0
package/src/__tests__/agent-settings-store.test.ts +323 -0
package/src/__tests__/chat-instance-manager-slack.test.ts +204 -0
package/src/__tests__/chat-response-bridge.test.ts +131 -0
package/src/__tests__/config-memory-plugins.test.ts +92 -0
package/src/__tests__/config-request-store.test.ts +127 -0
package/src/__tests__/connection-routes.test.ts +144 -0
package/src/__tests__/core-services-store-selection.test.ts +92 -0
package/src/__tests__/docker-deployment.test.ts +1211 -0
package/src/__tests__/embedded-deployment.test.ts +342 -0
package/src/__tests__/grant-store.test.ts +148 -0
package/src/__tests__/http-proxy.test.ts +281 -0
package/src/__tests__/instruction-service.test.ts +37 -0
package/src/__tests__/link-buttons.test.ts +112 -0
package/src/__tests__/lobu.test.ts +32 -0
package/src/__tests__/mcp-config-service.test.ts +347 -0
package/src/__tests__/mcp-proxy.test.ts +696 -0
package/src/__tests__/message-handler-bridge.test.ts +17 -0
package/src/__tests__/model-selection.test.ts +172 -0
package/src/__tests__/oauth-templates.test.ts +39 -0
package/src/__tests__/platform-adapter-slack-send.test.ts +114 -0
package/src/__tests__/platform-helpers-model-resolution.test.ts +253 -0
package/src/__tests__/provider-inheritance.test.ts +212 -0
package/src/__tests__/routes/cli-auth.test.ts +337 -0
package/src/__tests__/routes/interactions.test.ts +121 -0
package/src/__tests__/secret-proxy.test.ts +85 -0
package/src/__tests__/session-manager.test.ts +572 -0
package/src/__tests__/setup.ts +133 -0
package/src/__tests__/skill-and-mcp-registry.test.ts +203 -0
package/src/__tests__/slack-routes.test.ts +161 -0
package/src/__tests__/system-config-resolver.test.ts +75 -0
package/src/__tests__/system-message-limiter.test.ts +89 -0
package/src/__tests__/system-skills-service.test.ts +362 -0
package/src/__tests__/transcription-service.test.ts +222 -0
package/src/__tests__/utils/rate-limiter.test.ts +102 -0
package/src/__tests__/worker-connection-manager.test.ts +497 -0
package/src/__tests__/worker-job-router.test.ts +722 -0
package/src/api/index.ts +1 -0
package/src/api/platform.ts +292 -0
package/src/api/response-renderer.ts +157 -0
package/src/auth/agent-metadata-store.ts +168 -0
package/src/auth/api-auth-middleware.ts +69 -0
package/src/auth/api-key-provider-module.ts +213 -0
package/src/auth/base-provider-module.ts +201 -0
package/src/auth/chatgpt/chatgpt-oauth-module.ts +185 -0
package/src/auth/chatgpt/device-code-client.ts +218 -0
package/src/auth/chatgpt/index.ts +1 -0
package/src/auth/claude/oauth-module.ts +280 -0
package/src/auth/cli/token-service.ts +249 -0
package/src/auth/external/client.ts +560 -0
package/src/auth/external/device-code-client.ts +225 -0
package/src/auth/mcp/config-service.ts +392 -0
package/src/auth/mcp/proxy.ts +1088 -0
package/src/auth/mcp/string-substitution.ts +17 -0
package/src/auth/mcp/tool-cache.ts +90 -0
package/src/auth/oauth/base-client.ts +267 -0
package/src/auth/oauth/client.ts +153 -0
package/src/auth/oauth/credentials.ts +7 -0
package/src/auth/oauth/providers.ts +69 -0
package/src/auth/oauth/state-store.ts +150 -0
package/src/auth/oauth-templates.ts +179 -0
package/src/auth/provider-catalog.ts +220 -0
package/src/auth/provider-model-options.ts +41 -0
package/src/auth/settings/agent-settings-store.ts +565 -0
package/src/auth/settings/auth-profiles-manager.ts +216 -0
package/src/auth/settings/index.ts +12 -0
package/src/auth/settings/model-preference-store.ts +52 -0
package/src/auth/settings/model-selection.ts +135 -0
package/src/auth/settings/resolved-settings-view.ts +298 -0
package/src/auth/settings/template-utils.ts +44 -0
package/src/auth/settings/token-service.ts +88 -0
package/src/auth/system-env-store.ts +98 -0
package/src/auth/user-agents-store.ts +68 -0
package/src/channels/binding-service.ts +214 -0
package/src/channels/index.ts +4 -0
package/src/cli/gateway.ts +1304 -0
package/src/cli/index.ts +74 -0
package/src/commands/built-in-commands.ts +80 -0
package/src/commands/command-dispatcher.ts +94 -0
package/src/commands/command-reply-adapters.ts +27 -0
package/src/config/file-loader.ts +618 -0
package/src/config/index.ts +588 -0
package/src/config/network-allowlist.ts +71 -0
package/src/connections/chat-instance-manager.ts +1284 -0
package/src/connections/chat-response-bridge.ts +618 -0
package/src/connections/index.ts +7 -0
package/src/connections/interaction-bridge.ts +831 -0
package/src/connections/message-handler-bridge.ts +415 -0
package/src/connections/platform-auth-methods.ts +15 -0
package/src/connections/types.ts +84 -0
package/src/gateway/connection-manager.ts +291 -0
package/src/gateway/index.ts +700 -0
package/src/gateway/job-router.ts +201 -0
package/src/gateway-main.ts +200 -0
package/src/index.ts +41 -0
package/src/infrastructure/queue/index.ts +12 -0
package/src/infrastructure/queue/queue-producer.ts +148 -0
package/src/infrastructure/queue/redis-queue.ts +361 -0
package/src/infrastructure/queue/types.ts +133 -0
package/src/infrastructure/redis/system-message-limiter.ts +94 -0
package/src/interactions/config-request-store.ts +198 -0
package/src/interactions.ts +363 -0
package/src/lobu.ts +311 -0
package/src/metrics/prometheus.ts +159 -0
package/src/modules/module-system.ts +179 -0
package/src/orchestration/base-deployment-manager.ts +900 -0
package/src/orchestration/deployment-utils.ts +98 -0
package/src/orchestration/impl/docker-deployment.ts +620 -0
package/src/orchestration/impl/embedded-deployment.ts +268 -0
package/src/orchestration/impl/index.ts +8 -0
package/src/orchestration/impl/k8s/deployment.ts +1061 -0
package/src/orchestration/impl/k8s/helpers.ts +610 -0
package/src/orchestration/impl/k8s/index.ts +1 -0
package/src/orchestration/index.ts +333 -0
package/src/orchestration/message-consumer.ts +584 -0
package/src/orchestration/scheduled-wakeup.ts +704 -0
package/src/permissions/approval-policy.ts +36 -0
package/src/permissions/grant-store.ts +219 -0
package/src/platform/file-handler.ts +66 -0
package/src/platform/link-buttons.ts +57 -0
package/src/platform/renderer-utils.ts +44 -0
package/src/platform/response-renderer.ts +84 -0
package/src/platform/unified-thread-consumer.ts +187 -0
package/src/platform.ts +318 -0
package/src/proxy/http-proxy.ts +752 -0
package/src/proxy/proxy-manager.ts +81 -0
package/src/proxy/secret-proxy.ts +402 -0
package/src/proxy/token-refresh-job.ts +143 -0
package/src/routes/internal/audio.ts +141 -0
package/src/routes/internal/device-auth.ts +566 -0
package/src/routes/internal/files.ts +226 -0
package/src/routes/internal/history.ts +69 -0
package/src/routes/internal/images.ts +127 -0
package/src/routes/internal/interactions.ts +84 -0
package/src/routes/internal/middleware.ts +23 -0
package/src/routes/internal/schedule.ts +226 -0
package/src/routes/internal/types.ts +22 -0
package/src/routes/openapi-auto.ts +239 -0
package/src/routes/public/agent-access.ts +23 -0
package/src/routes/public/agent-config.ts +675 -0
package/src/routes/public/agent-history.ts +422 -0
package/src/routes/public/agent-schedules.ts +296 -0
package/src/routes/public/agent.ts +1086 -0
package/src/routes/public/agents.ts +373 -0
package/src/routes/public/channels.ts +191 -0
package/src/routes/public/cli-auth.ts +883 -0
package/src/routes/public/connections.ts +574 -0
package/src/routes/public/landing.ts +16 -0
package/src/routes/public/oauth.ts +147 -0
package/src/routes/public/settings-auth.ts +104 -0
package/src/routes/public/slack.ts +173 -0
package/src/routes/shared/agent-ownership.ts +101 -0
package/src/routes/shared/token-verifier.ts +34 -0
package/src/services/core-services.ts +1053 -0
package/src/services/image-generation-service.ts +257 -0
package/src/services/instruction-service.ts +318 -0
package/src/services/mcp-registry.ts +94 -0
package/src/services/platform-helpers.ts +287 -0
package/src/services/session-manager.ts +262 -0
package/src/services/settings-resolver.ts +74 -0
package/src/services/system-config-resolver.ts +90 -0
package/src/services/system-skills-service.ts +229 -0
package/src/services/transcription-service.ts +684 -0
package/src/session.ts +110 -0
package/src/spaces/index.ts +1 -0
package/src/spaces/space-resolver.ts +17 -0
package/src/stores/in-memory-agent-store.ts +403 -0
package/src/stores/redis-agent-store.ts +279 -0
package/src/utils/public-url.ts +44 -0
package/src/utils/rate-limiter.ts +94 -0
package/tsconfig.json +33 -0

package/src/routes/public/agent-history.ts ADDED Viewed

@@ -0,0 +1,422 @@
+/**
+ * Agent history routes — proxy session data from worker HTTP server,
+ * with direct session-file fallback for embedded/Docker dev mode.
+ * Auth: settings session cookie (verifySettingsSession).
+ */
+import { readdir, readFile, stat } from "node:fs/promises";
+import { join, resolve } from "node:path";
+import type { AgentConfigStore } from "@lobu/core";
+import { createLogger } from "@lobu/core";
+import type { Context } from "hono";
+import { Hono } from "hono";
+import type { UserAgentsStore } from "../../auth/user-agents-store";
+import type { ChatInstanceManager } from "../../connections/chat-instance-manager";
+import type { WorkerConnectionManager } from "../../gateway/connection-manager";
+import { createTokenVerifier } from "../shared/token-verifier";
+import { verifySettingsSession } from "./settings-auth";
+const logger = createLogger("agent-history-routes");
+/** Alphanumeric, hyphens, and underscores only — no path separators or dots. */
+const SAFE_AGENT_ID = /^[a-zA-Z0-9_-]+$/;
+function isSafeAgentId(id: string): boolean {
+  return SAFE_AGENT_ID.test(id);
+}
+// ─── Direct session file reader (fallback) ─────────────────────────────────
+interface SessionEntry {
+  type: string;
+  id: string;
+  parentId: string | null;
+  timestamp: string;
+  message?: {
+    role: string;
+    content: unknown;
+    usage?: { inputTokens?: number; outputTokens?: number };
+  };
+  summary?: string;
+  provider?: string;
+  modelId?: string;
+  customType?: string;
+  content?: unknown;
+  display?: boolean;
+}
+interface ParsedMessage {
+  id: string;
+  type: string;
+  role?: string;
+  content: unknown;
+  model?: string;
+  timestamp: string;
+  isVerbose?: boolean;
+  usage?: { inputTokens?: number; outputTokens?: number };
+}
+async function findSessionFile(agentId: string): Promise<string | null> {
+  if (!isSafeAgentId(agentId)) return null;
+  const workspacesRoot = resolve("workspaces");
+  const workspaceDir = resolve(workspacesRoot, agentId);
+  if (!workspaceDir.startsWith(`${workspacesRoot}/`)) return null;
+  // Direct: workspaces/{agentId}/.openclaw/session.jsonl
+  const directPath = join(workspaceDir, ".openclaw", "session.jsonl");
+  try {
+    await stat(directPath);
+    return directPath;
+  } catch {
+    // Not found
+  }
+  // Search subdirectories (up to 3 levels deep for nested workspace layouts)
+  try {
+    const search = async (
+      dir: string,
+      depth: number
+    ): Promise<string | null> => {
+      if (depth > 3) return null;
+      const entries = await readdir(dir, { withFileTypes: true });
+      for (const entry of entries) {
+        if (!entry.isDirectory() || entry.name.startsWith(".")) continue;
+        const sessionPath = join(dir, entry.name, ".openclaw", "session.jsonl");
+        try {
+          await stat(sessionPath);
+          return sessionPath;
+        } catch {
+          // Try deeper
+          const deeper = await search(join(dir, entry.name), depth + 1);
+          if (deeper) return deeper;
+        }
+      }
+      return null;
+    };
+    return await search(workspaceDir, 0);
+  } catch {
+    // Workspace dir doesn't exist
+  }
+  return null;
+}
+function parseSessionEntries(content: string): {
+  entries: SessionEntry[];
+  sessionId?: string;
+} {
+  const lines = content.split("\n").filter((l) => l.trim());
+  const entries: SessionEntry[] = [];
+  let sessionId: string | undefined;
+  for (const line of lines) {
+    try {
+      const parsed = JSON.parse(line);
+      if (parsed.type === "session") {
+        sessionId = parsed.id;
+        continue;
+      }
+      entries.push(parsed);
+    } catch {
+      // Skip malformed
+    }
+  }
+  return { entries, sessionId };
+}
+function entryToMessage(entry: SessionEntry): ParsedMessage | null {
+  if (entry.type === "message" && entry.message) {
+    return {
+      id: entry.id,
+      type: "message",
+      role: entry.message.role,
+      content: entry.message.content,
+      timestamp: entry.timestamp,
+      isVerbose: entry.message.role === "toolResult",
+      usage: entry.message.usage,
+    };
+  }
+  if (entry.type === "compaction") {
+    return {
+      id: entry.id,
+      type: "compaction",
+      content: entry.summary || "",
+      timestamp: entry.timestamp,
+      isVerbose: true,
+    };
+  }
+  if (entry.type === "model_change") {
+    return {
+      id: entry.id,
+      type: "model_change",
+      content: `${entry.provider}/${entry.modelId}`,
+      model: `${entry.provider}/${entry.modelId}`,
+      timestamp: entry.timestamp,
+      isVerbose: true,
+    };
+  }
+  if (entry.type === "custom_message") {
+    return {
+      id: entry.id,
+      type: "custom_message",
+      role: "user",
+      content: entry.content,
+      timestamp: entry.timestamp,
+      isVerbose: !entry.display,
+    };
+  }
+  return null;
+}
+async function readSessionMessages(
+  agentId: string,
+  cursorParam: string,
+  limit: number
+) {
+  const sessionPath = await findSessionFile(agentId);
+  if (!sessionPath) {
+    return {
+      messages: [],
+      nextCursor: null,
+      hasMore: false,
+      sessionId: "none",
+    };
+  }
+  const content = await readFile(sessionPath, "utf-8");
+  const { entries, sessionId } = parseSessionEntries(content);
+  const allMessages: ParsedMessage[] = [];
+  for (const entry of entries) {
+    const msg = entryToMessage(entry);
+    if (msg) allMessages.push(msg);
+  }
+  let startIndex = 0;
+  if (cursorParam) {
+    const idx = allMessages.findIndex((m) => m.id === cursorParam);
+    if (idx >= 0) startIndex = idx + 1;
+  }
+  const pageMessages = allMessages.slice(startIndex, startIndex + limit);
+  const hasMore = startIndex + limit < allMessages.length;
+  const nextCursor = hasMore ? pageMessages[pageMessages.length - 1]?.id : null;
+  return {
+    messages: pageMessages,
+    nextCursor,
+    hasMore,
+    sessionId: sessionId || "unknown",
+  };
+}
+async function readSessionStats(agentId: string) {
+  const sessionPath = await findSessionFile(agentId);
+  if (!sessionPath) {
+    return {
+      sessionId: "none",
+      messageCount: 0,
+      userMessages: 0,
+      assistantMessages: 0,
+      totalInputTokens: 0,
+      totalOutputTokens: 0,
+    };
+  }
+  const content = await readFile(sessionPath, "utf-8");
+  const { entries, sessionId } = parseSessionEntries(content);
+  let messageCount = 0;
+  let userMessages = 0;
+  let assistantMessages = 0;
+  let totalInputTokens = 0;
+  let totalOutputTokens = 0;
+  let currentModel: string | undefined;
+  for (const entry of entries) {
+    if (entry.type === "message" && entry.message) {
+      messageCount++;
+      if (entry.message.role === "user") userMessages++;
+      if (entry.message.role === "assistant") assistantMessages++;
+      if (entry.message.usage) {
+        const u = entry.message.usage as any;
+        totalInputTokens += u.inputTokens || u.input || 0;
+        totalOutputTokens += u.outputTokens || u.output || 0;
+      }
+    }
+    if (entry.type === "model_change") {
+      currentModel = `${entry.provider}/${entry.modelId}`;
+    }
+  }
+  return {
+    sessionId: sessionId || "unknown",
+    messageCount,
+    userMessages,
+    assistantMessages,
+    totalInputTokens,
+    totalOutputTokens,
+    currentModel,
+  };
+}
+// ─── Routes ─────────────────────────────────────────────────────────────────
+export function createAgentHistoryRoutes(deps: {
+  connectionManager: WorkerConnectionManager;
+  chatInstanceManager?: ChatInstanceManager;
+  agentConfigStore?: Pick<AgentConfigStore, "listSandboxes" | "getMetadata">;
+  userAgentsStore?: UserAgentsStore;
+}) {
+  const app = new Hono();
+  const { connectionManager, chatInstanceManager, agentConfigStore } = deps;
+  const verifyToken = createTokenVerifier({
+    userAgentsStore: deps.userAgentsStore,
+    agentMetadataStore: deps.agentConfigStore,
+  });
+  async function getAuthorizedAgentId(c: Context): Promise<string | null> {
+    const session = verifySettingsSession(c);
+    if (!session) return null;
+    const agentId = c.req.param("agentId") || session.agentId || null;
+    if (!agentId || !isSafeAgentId(agentId)) return null;
+    const verified = await verifyToken(session, agentId);
+    return verified ? agentId : null;
+  }
+  /**
+   * Resolve the first active sandbox agentId that has a running deployment.
+   * When a template agent (e.g. "lobu") has no direct deployments,
+   * we look at its connections' sandbox agents for a running worker.
+   */
+  async function resolveActiveAgent(
+    agentId: string
+  ): Promise<{ connected: boolean; resolvedAgentId: string }> {
+    if (connectionManager.getDeploymentsForAgent(agentId).length > 0) {
+      return { connected: true, resolvedAgentId: agentId };
+    }
+    if (chatInstanceManager && agentConfigStore) {
+      try {
+        const connections = await chatInstanceManager.listConnections({
+          templateAgentId: agentId,
+        });
+        for (const conn of connections) {
+          const sandboxes = await agentConfigStore.listSandboxes(conn.id);
+          for (const sb of sandboxes) {
+            if (
+              connectionManager.getDeploymentsForAgent(sb.agentId).length > 0
+            ) {
+              return { connected: true, resolvedAgentId: sb.agentId };
+            }
+          }
+        }
+      } catch (e) {
+        logger.debug("Failed to resolve sandbox agents", { error: e });
+      }
+    }
+    return { connected: false, resolvedAgentId: agentId };
+  }
+  /**
+   * Try proxying to worker HTTP server, fall back to direct file read.
+   */
+  async function proxyOrFallback<T>(
+    agentId: string,
+    workerPath: string,
+    fallback: (agentId: string) => Promise<T>
+  ): Promise<{ data: T; proxied: boolean } | null> {
+    const { resolvedAgentId } = await resolveActiveAgent(agentId);
+    const httpUrl = connectionManager.getHttpUrl(resolvedAgentId);
+    if (httpUrl) {
+      try {
+        const response = await fetch(`${httpUrl}${workerPath}`, {
+          signal: AbortSignal.timeout(5000),
+        });
+        if (response.ok) {
+          return { data: (await response.json()) as T, proxied: true };
+        }
+      } catch {
+        // Worker HTTP not reachable, fall through to file read
+      }
+    }
+    // Fallback: read session file directly
+    try {
+      return { data: await fallback(resolvedAgentId), proxied: false };
+    } catch (e) {
+      logger.debug("Session file fallback failed", {
+        error: e,
+        agentId: resolvedAgentId,
+      });
+      return null;
+    }
+  }
+  // Agent status
+  app.get("/status", async (c) => {
+    const agentId = await getAuthorizedAgentId(c);
+    if (!agentId) return c.json({ error: "Unauthorized" }, 401);
+    const { connected, resolvedAgentId } = await resolveActiveAgent(agentId);
+    // Even if worker HTTP is unreachable, check if session file exists on disk
+    const hasSessionFile = !!(await findSessionFile(resolvedAgentId));
+    return c.json({
+      connected: connected || hasSessionFile,
+      hasHttpServer: !!connectionManager.getHttpUrl(resolvedAgentId),
+      deploymentCount:
+        connectionManager.getDeploymentsForAgent(resolvedAgentId).length,
+    });
+  });
+  // Session messages
+  app.get("/session/messages", async (c) => {
+    const agentId = await getAuthorizedAgentId(c);
+    if (!agentId) return c.json({ error: "Unauthorized" }, 401);
+    const cursor = c.req.query("cursor") || "";
+    const limit = Math.min(parseInt(c.req.query("limit") || "50", 10), 200);
+    const result = await proxyOrFallback(
+      agentId,
+      `/session/messages?cursor=${cursor}&limit=${limit}`,
+      (resolved) => readSessionMessages(resolved, cursor, limit)
+    );
+    if (!result) {
+      return c.json(
+        {
+          error: "Agent offline",
+          connected: false,
+          messages: [],
+          nextCursor: null,
+          hasMore: false,
+        },
+        503
+      );
+    }
+    return c.json(result.data);
+  });
+  // Session stats
+  app.get("/session/stats", async (c) => {
+    const agentId = await getAuthorizedAgentId(c);
+    if (!agentId) return c.json({ error: "Unauthorized" }, 401);
+    const result = await proxyOrFallback(
+      agentId,
+      "/session/stats",
+      readSessionStats
+    );
+    if (!result) {
+      return c.json({ error: "Agent offline", connected: false }, 503);
+    }
+    return c.json(result.data);
+  });
+  return app;
+}

package/src/routes/public/agent-schedules.ts ADDED Viewed

@@ -0,0 +1,296 @@
+/**
+ * Agent Schedules Routes
+ *
+ * Schedule management endpoints mounted under /api/v1/agents/{agentId}/schedules
+ */
+import { createRoute, OpenAPIHono, z } from "@hono/zod-openapi";
+import type { AgentConfigStore } from "@lobu/core";
+import { createLogger } from "@lobu/core";
+import type { ExternalAuthClient } from "../../auth/external/client";
+import type { SettingsTokenPayload } from "../../auth/settings/token-service";
+import type { UserAgentsStore } from "../../auth/user-agents-store";
+import type { ScheduledWakeupService } from "../../orchestration/scheduled-wakeup";
+import { createTokenVerifier } from "../shared/token-verifier";
+import { verifySettingsSessionOrToken } from "./settings-auth";
+const logger = createLogger("agent-schedules");
+const TAG = "Schedules";
+const ErrorResponse = z.object({ error: z.string() });
+const TokenQuery = z.object({ token: z.string().optional() });
+// --- Route Definitions ---
+const listSchedulesRoute = createRoute({
+  method: "get",
+  path: "/",
+  tags: [TAG],
+  summary: "List agent schedules",
+  request: { query: TokenQuery },
+  responses: {
+    200: {
+      description: "Schedules",
+      content: {
+        "application/json": {
+          schema: z.object({
+            schedules: z.array(
+              z.object({
+                scheduleId: z.string(),
+                conversationId: z.string(),
+                task: z.string(),
+                scheduledAt: z.number(),
+                scheduledFor: z.number(),
+                status: z.string(),
+              })
+            ),
+          }),
+        },
+      },
+    },
+    401: {
+      description: "Unauthorized",
+      content: { "application/json": { schema: ErrorResponse } },
+    },
+  },
+});
+const cancelScheduleRoute = createRoute({
+  method: "delete",
+  path: "/{scheduleId}",
+  tags: [TAG],
+  summary: "Cancel agent schedule",
+  request: {
+    query: TokenQuery,
+    params: z.object({ scheduleId: z.string() }),
+  },
+  responses: {
+    200: {
+      description: "Cancelled",
+      content: {
+        "application/json": {
+          schema: z.object({
+            success: z.boolean(),
+            message: z.string().optional(),
+          }),
+        },
+      },
+    },
+    401: {
+      description: "Unauthorized",
+      content: { "application/json": { schema: ErrorResponse } },
+    },
+  },
+});
+const createScheduleRoute = createRoute({
+  method: "post",
+  path: "/",
+  tags: [TAG],
+  summary: "Create agent schedule",
+  request: {
+    query: TokenQuery,
+    body: {
+      content: {
+        "application/json": {
+          schema: z.object({
+            task: z.string().max(2000),
+            cron: z.string().optional(),
+            delayMinutes: z.number().min(1).max(1440).optional(),
+            maxIterations: z.number().min(1).optional(),
+            context: z.record(z.string(), z.unknown()).optional(),
+            source: z.string().optional(),
+          }),
+        },
+      },
+    },
+  },
+  responses: {
+    200: {
+      description: "Schedule created",
+      content: {
+        "application/json": {
+          schema: z.object({
+            scheduleId: z.string(),
+            scheduledFor: z.string(),
+            isRecurring: z.boolean(),
+            cron: z.string().optional(),
+            maxIterations: z.number(),
+          }),
+        },
+      },
+    },
+    400: {
+      description: "Bad request",
+      content: { "application/json": { schema: ErrorResponse } },
+    },
+    401: {
+      description: "Unauthorized",
+      content: { "application/json": { schema: ErrorResponse } },
+    },
+  },
+});
+export interface AgentSchedulesRoutesConfig {
+  scheduledWakeupService?: ScheduledWakeupService;
+  externalAuthClient?: ExternalAuthClient;
+  userAgentsStore?: UserAgentsStore;
+  agentMetadataStore?: Pick<AgentConfigStore, "getMetadata">;
+}
+export function createAgentSchedulesRoutes(
+  config: AgentSchedulesRoutesConfig
+): OpenAPIHono {
+  const app = new OpenAPIHono();
+  const verifySessionToken = createTokenVerifier({
+    userAgentsStore: config.userAgentsStore,
+    agentMetadataStore: config.agentMetadataStore,
+  });
+  /**
+   * Auth: settings session (cookie/authProvider) OR external OAuth Bearer token
+   * (validated via MEMORY_URL userinfo endpoint).
+   */
+  async function requireAuth(
+    c: any,
+    agentId: string
+  ): Promise<SettingsTokenPayload | null> {
+    // 1. Try settings session (cookie or injected authProvider)
+    const session = verifySettingsSessionOrToken(c);
+    if (session) {
+      if (session.isAdmin || session.settingsMode === "admin") {
+        return {
+          ...session,
+          isAdmin: true,
+          settingsMode: "admin",
+        };
+      }
+      return verifySessionToken(session, agentId);
+    }
+    // 2. Try external OAuth Bearer token (validated via MEMORY_URL)
+    if (config.externalAuthClient) {
+      const authHeader = c.req.header("Authorization");
+      if (authHeader?.startsWith("Bearer ")) {
+        const token = authHeader.substring(7);
+        try {
+          const userInfo = await config.externalAuthClient.fetchUserInfo(token);
+          if (userInfo?.sub) {
+            return verifySessionToken(
+              {
+                userId: userInfo.sub,
+                oauthUserId: userInfo.sub,
+                platform: "external",
+                exp: Date.now() + 60_000,
+              },
+              agentId
+            );
+          }
+        } catch (err) {
+          logger.debug({ err }, "Bearer token validation failed");
+        }
+      }
+    }
+    return null;
+  }
+  // POST / — create schedule
+  app.openapi(createScheduleRoute, async (c): Promise<any> => {
+    const agentId = c.req.param("agentId") || "";
+    if (!(await requireAuth(c, agentId))) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+    if (!config.scheduledWakeupService) {
+      return c.json({ error: "Scheduling not configured" }, 500);
+    }
+    const body = c.req.valid("json");
+    if (!body.cron && !body.delayMinutes) {
+      return c.json({ error: "Must specify either cron or delayMinutes" }, 400);
+    }
+    if (body.cron && body.delayMinutes) {
+      return c.json(
+        { error: "Cannot specify both cron and delayMinutes" },
+        400
+      );
+    }
+    try {
+      const schedule = await config.scheduledWakeupService.scheduleExternal({
+        agentId,
+        task: body.task,
+        context: body.context,
+        cron: body.cron,
+        delayMinutes: body.delayMinutes,
+        maxIterations: body.maxIterations,
+        source: body.source,
+      });
+      return c.json({
+        scheduleId: schedule.id,
+        scheduledFor: schedule.triggerAt,
+        isRecurring: schedule.isRecurring,
+        cron: schedule.cron,
+        maxIterations: schedule.maxIterations,
+      });
+    } catch (error) {
+      return c.json(
+        {
+          error:
+            error instanceof Error
+              ? error.message
+              : "Failed to create schedule",
+        },
+        400
+      );
+    }
+  });
+  app.openapi(listSchedulesRoute, async (c): Promise<any> => {
+    const agentId = c.req.param("agentId") || "";
+    if (!(await requireAuth(c, agentId))) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+    if (!config.scheduledWakeupService) return c.json({ schedules: [] });
+    const schedules =
+      await config.scheduledWakeupService.listPendingForAgent(agentId);
+    return c.json({
+      schedules: schedules.map((s) => ({
+        scheduleId: s.id,
+        conversationId: s.conversationId,
+        task: s.task,
+        scheduledAt: s.scheduledAt,
+        scheduledFor: s.triggerAt,
+        status: s.status,
+      })),
+    });
+  });
+  app.openapi(cancelScheduleRoute, async (c): Promise<any> => {
+    const agentId = c.req.param("agentId") || "";
+    if (!(await requireAuth(c, agentId))) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+    if (!config.scheduledWakeupService) {
+      return c.json({ error: "Not configured" }, 500);
+    }
+    const { scheduleId } = c.req.valid("param");
+    const success = await config.scheduledWakeupService.cancelByAgent(
+      scheduleId,
+      agentId
+    );
+    return c.json({
+      success,
+      message: success ? undefined : "Not found or already triggered",
+    });
+  });
+  return app;
+}