npm - @lovelybunch/api - Versions diffs - 1.0.77-alpha.0 → 1.0.77-alpha.2 - Mend

@lovelybunch/api 1.0.77-alpha.0 → 1.0.77-alpha.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (154) hide show

package/dist/config/oauth.d.ts ADDED Viewed

@@ -0,0 +1,33 @@
+/**
+ * Clerk OAuth configuration.
+ *
+ * Coconut currently has a single control plane, so these values are public
+ * (non-secret) constants. If a second control plane is ever introduced, move
+ * these to environment variables.
+ *
+ * Kept in sync with packages/cli/src/commands/serve.ts (startup banner).
+ */
+import type { AuthConfig } from '@lovelybunch/types';
+export declare const CLERK_JWKS_URL = "https://clerk.coconut.dev/.well-known/jwks.json";
+export declare const CLERK_ISSUER = "https://clerk.coconut.dev";
+export interface OAuthRuntimeConfig {
+    enabled: boolean;
+    clientId?: string;
+}
+export declare function setOAuthRuntimeConfig(config: OAuthRuntimeConfig): void;
+export declare function getOAuthRuntimeConfig(): OAuthRuntimeConfig;
+/**
+ * OAuth is active for this coconut iff auth.json has a Coconut OAuth provider
+ * entry that is explicitly enabled AND has a non-empty clientId. Missing entry,
+ * `enabled: false`, or missing clientId all disable OAuth.
+ *
+ * This is the single source of truth for "should we offer Continue with
+ * Coconut" — startup, middleware, /status, and the admin settings toggle all
+ * go through it.
+ */
+export declare function isCoconutOAuthActive(config: AuthConfig): boolean;
+/**
+ * Convert an AuthConfig into the runtime OAuth cache shape. Safe to call even
+ * when OAuth isn't active — returns `{ enabled: false }` in that case.
+ */
+export declare function oauthRuntimeFromAuthConfig(config: AuthConfig): OAuthRuntimeConfig;

package/dist/config/oauth.js ADDED Viewed

@@ -0,0 +1,43 @@
+/**
+ * Clerk OAuth configuration.
+ *
+ * Coconut currently has a single control plane, so these values are public
+ * (non-secret) constants. If a second control plane is ever introduced, move
+ * these to environment variables.
+ *
+ * Kept in sync with packages/cli/src/commands/serve.ts (startup banner).
+ */
+export const CLERK_JWKS_URL = 'https://clerk.coconut.dev/.well-known/jwks.json';
+export const CLERK_ISSUER = 'https://clerk.coconut.dev';
+let runtimeConfig = { enabled: false };
+export function setOAuthRuntimeConfig(config) {
+    runtimeConfig = config;
+}
+export function getOAuthRuntimeConfig() {
+    return runtimeConfig;
+}
+/**
+ * OAuth is active for this coconut iff auth.json has a Coconut OAuth provider
+ * entry that is explicitly enabled AND has a non-empty clientId. Missing entry,
+ * `enabled: false`, or missing clientId all disable OAuth.
+ *
+ * This is the single source of truth for "should we offer Continue with
+ * Coconut" — startup, middleware, /status, and the admin settings toggle all
+ * go through it.
+ */
+export function isCoconutOAuthActive(config) {
+    const coconut = config.providers.oauth?.coconut;
+    return !!(coconut && coconut.enabled && coconut.clientId);
+}
+/**
+ * Convert an AuthConfig into the runtime OAuth cache shape. Safe to call even
+ * when OAuth isn't active — returns `{ enabled: false }` in that case.
+ */
+export function oauthRuntimeFromAuthConfig(config) {
+    if (!isCoconutOAuthActive(config))
+        return { enabled: false };
+    return {
+        enabled: true,
+        clientId: config.providers.oauth.coconut.clientId,
+    };
+}

package/dist/lib/auth/auth-manager.d.ts CHANGED Viewed

@@ -23,6 +23,23 @@ export declare class AuthManager {
      * Initialize auth config with defaults
      */
     initializeAuthConfig(adminEmail: string, adminName: string): Promise<AuthConfig>;
+    /**
+     * Upsert the Coconut OAuth provider entry in auth.json. Creates a minimal
+     * OAuth-only auth config on first run (auth.json missing), or merges the
+     * new Coconut OAuth settings into an existing config without touching other
+     * providers, users, or session state.
+     *
+     * Used by:
+     *   - `nut init --oauth-client-id <id>` (provisioning automation)
+     *   - `PUT /api/v1/auth-settings/oauth/coconut` (admin toggle)
+     *
+     * Callers are responsible for validating that `clientId` is present when
+     * `enabled: true` — this method stores what it's given.
+     */
+    upsertCoconutOAuth(options: {
+        enabled: boolean;
+        clientId?: string;
+    }): Promise<AuthConfig>;
     /**
      * Find user by email
      */
@@ -72,7 +89,10 @@ export declare class AuthManager {
      */
     generateToken(user: LocalAuthUser, provider?: string): Promise<string>;
     /**
-     * Verify JWT token
+     * Verify JWT token (local HS256 session token)
+     *
+     * Algorithms are pinned to HS256 to prevent algorithm-confusion attacks
+     * when the middleware also accepts externally-issued RS256 JWTs (OAuth).
      */
     verifyToken(token: string): Promise<AuthSession | null>;
     /**

package/dist/lib/auth/auth-manager.js CHANGED Viewed

@@ -92,6 +92,55 @@ export class AuthManager {
         await this.saveAuthConfig(config);
         return config;
     }
+    /**
+     * Upsert the Coconut OAuth provider entry in auth.json. Creates a minimal
+     * OAuth-only auth config on first run (auth.json missing), or merges the
+     * new Coconut OAuth settings into an existing config without touching other
+     * providers, users, or session state.
+     *
+     * Used by:
+     *   - `nut init --oauth-client-id <id>` (provisioning automation)
+     *   - `PUT /api/v1/auth-settings/oauth/coconut` (admin toggle)
+     *
+     * Callers are responsible for validating that `clientId` is present when
+     * `enabled: true` — this method stores what it's given.
+     */
+    async upsertCoconutOAuth(options) {
+        let config = null;
+        try {
+            config = await this.loadAuthConfig();
+        }
+        catch {
+            // auth.json missing; fall through and bootstrap a minimal shape below.
+        }
+        if (!config) {
+            config = {
+                version: '1.0',
+                enabled: true,
+                allowRegistration: false,
+                providers: {
+                    local: { enabled: false, users: [] },
+                    oauth: {},
+                },
+                session: {
+                    secret: this.generateSecret(),
+                    expiresIn: DEFAULT_SESSION_EXPIRY,
+                    cookieName: DEFAULT_COOKIE_NAME,
+                    secure: process.env.NODE_ENV === 'production',
+                },
+                apiKeys: [],
+            };
+        }
+        if (!config.providers.oauth) {
+            config.providers.oauth = {};
+        }
+        config.providers.oauth.coconut = {
+            enabled: options.enabled,
+            clientId: options.clientId,
+        };
+        await this.saveAuthConfig(config);
+        return config;
+    }
     /**
      * Find user by email
      */
@@ -268,15 +317,20 @@ export class AuthManager {
             iat: Math.floor(Date.now() / 1000),
             exp: Math.floor(Date.now() / 1000) + this.parseExpiry(config.session.expiresIn),
         };
-        return jwt.sign(payload, config.session.secret);
+        return jwt.sign(payload, config.session.secret, { algorithm: 'HS256' });
     }
     /**
-     * Verify JWT token
+     * Verify JWT token (local HS256 session token)
+     *
+     * Algorithms are pinned to HS256 to prevent algorithm-confusion attacks
+     * when the middleware also accepts externally-issued RS256 JWTs (OAuth).
      */
     async verifyToken(token) {
         try {
             const config = await this.loadAuthConfig();
-            const decoded = jwt.verify(token, config.session.secret);
+            const decoded = jwt.verify(token, config.session.secret, {
+                algorithms: ['HS256'],
+            });
             return decoded;
         }
         catch (error) {

package/dist/lib/auth/clerk-verifier.d.ts ADDED Viewed

@@ -0,0 +1,22 @@
+import { jwtVerify, type JWTPayload } from 'jose';
+/**
+ * Clerk JWT verification.
+ *
+ * - JWKS keys are fetched once and cached in memory by `jose`.
+ * - `issuer` is enforced so tokens from other Identity Providers cannot pass.
+ * - `audience` (the coconut's OAuth client_id) is enforced so a token issued
+ *   for one coconut's client cannot be replayed against another coconut.
+ */
+type JwksKeyFn = Parameters<typeof jwtVerify>[1];
+export interface ClerkVerifyResult {
+    payload: JWTPayload;
+}
+export declare function verifyClerkToken(token: string, options: {
+    audience: string;
+}): Promise<ClerkVerifyResult | null>;
+/**
+ * Test-only: inject a custom JWKS key function (e.g. `jose.createLocalJWKSet`
+ * backed by a generated keypair) so middleware tests don't hit the network.
+ */
+export declare function __setClerkJwksForTests(jwks: JwksKeyFn | null): void;
+export {};

package/dist/lib/auth/clerk-verifier.js ADDED Viewed

@@ -0,0 +1,39 @@
+import { createRemoteJWKSet, jwtVerify } from 'jose';
+import { CLERK_ISSUER, CLERK_JWKS_URL } from '../../config/oauth.js';
+let jwksInstance = null;
+function getJwks() {
+    if (!jwksInstance) {
+        jwksInstance = createRemoteJWKSet(new URL(CLERK_JWKS_URL));
+    }
+    return jwksInstance;
+}
+export async function verifyClerkToken(token, options) {
+    try {
+        const jwks = getJwks();
+        const verifyOptions = {
+            issuer: CLERK_ISSUER,
+            audience: options.audience,
+        };
+        const { payload } = await jwtVerify(token, jwks, verifyOptions);
+        return { payload };
+    }
+    catch (err) {
+        // jose throws typed errors like JWTExpired / JWTClaimValidationFailed /
+        // JWSSignatureVerificationFailed. We swallow them (returning null keeps
+        // the exchange handler's 401 path clean) but log the reason — without
+        // this, "OAuth exchange returned 401" is undiagnosable in prod.
+        const e = err;
+        const reason = e.code
+            ? `${e.code}${e.claim ? ` (claim: ${e.claim})` : ''}`
+            : e.message || 'unknown error';
+        console.warn(`[clerk-verifier] Token verification failed: ${reason}`);
+        return null;
+    }
+}
+/**
+ * Test-only: inject a custom JWKS key function (e.g. `jose.createLocalJWKSet`
+ * backed by a generated keypair) so middleware tests don't hit the network.
+ */
+export function __setClerkJwksForTests(jwks) {
+    jwksInstance = jwks;
+}

package/dist/middleware/auth.js CHANGED Viewed

@@ -1,6 +1,8 @@
 import { getCookie } from 'hono/cookie';
 import { getConnInfo } from '@hono/node-server/conninfo';
 import { getAuthManager } from '../lib/auth/auth-manager.js';
+import { getOAuthRuntimeConfig } from '../config/oauth.js';
+import { verifyClerkToken } from '../lib/auth/clerk-verifier.js';
 const LOOPBACK_ADDRESSES = new Set(['127.0.0.1', '::1', '::ffff:127.0.0.1']);
 /**
  * Check if a request is a direct localhost connection (not proxied).
@@ -33,6 +35,7 @@ const PUBLIC_ROUTES = [
     '/api/v1/auth/logout',
     '/api/v1/auth/oauth',
     '/api/v1/auth/callback',
+    '/api/v1/auth/oauth/exchange',
 ];
 // Routes that require specific roles
 const ADMIN_ROUTES = [
@@ -110,8 +113,35 @@ export async function authMiddleware(c, next) {
     if (!token) {
         return c.json({ error: 'Unauthorized', message: 'No authentication token provided' }, 401);
     }
-    // Verify token
-    const session = await authManager.verifyToken(token);
+    // Verify token: try local HS256 session JWT first (fast, no network),
+    // then fall back to Clerk JWKS verification when --oauth is enabled.
+    let session = await authManager.verifyToken(token);
+    let authType = 'session';
+    if (!session) {
+        const oauth = getOAuthRuntimeConfig();
+        if (oauth.enabled && oauth.clientId) {
+            const result = await verifyClerkToken(token, { audience: oauth.clientId });
+            if (result) {
+                const { payload } = result;
+                // Map Clerk claims to the AuthSession shape expected downstream.
+                // OAuth sessions never receive the 'admin' role - admin-gated routes
+                // remain reachable only via locally-minted session tokens.
+                session = {
+                    userId: typeof payload.sub === 'string' ? payload.sub : '',
+                    email: typeof payload.email === 'string' ? payload.email : '',
+                    name: typeof payload.name === 'string' ? payload.name : '',
+                    // OAuth sessions get the most restricted role; admin is reachable
+                    // only via locally-minted tokens.
+                    role: 'viewer',
+                    provider: 'oauth',
+                    iat: typeof payload.iat === 'number' ? payload.iat : Math.floor(Date.now() / 1000),
+                    exp: typeof payload.exp === 'number' ? payload.exp : Math.floor(Date.now() / 1000) + 3600,
+                };
+                authType = 'oauth';
+                c.set('oauthClaims', payload);
+            }
+        }
+    }
     if (!session) {
         return c.json({ error: 'Unauthorized', message: 'Invalid or expired token' }, 401);
     }
@@ -121,7 +151,7 @@ export async function authMiddleware(c, next) {
     }
     // Store session in context
     c.set('session', session);
-    c.set('authType', 'session');
+    c.set('authType', authType);
     return next();
 }
 /**
@@ -177,6 +207,13 @@ export function requireAdmin(c) {
     if (authEnabled === false) {
         return null;
     }
+    // Trusted non-session authenticators (direct localhost connection, valid API
+    // key) are authoritative: they've already passed auth at the middleware
+    // layer, so admin-gated routes accept them without a session.role check.
+    const authType = c.get('authType');
+    if (authType === 'localhost' || authType === 'apikey') {
+        return null;
+    }
     const session = requireAuth(c);
     if (!session) {
         throw new Error('Authentication required');

package/dist/routes/api/v1/auth/route.js CHANGED Viewed

@@ -2,6 +2,8 @@ import { Hono } from 'hono';
 import { setCookie, deleteCookie } from 'hono/cookie';
 import { getAuthManager } from '../../../../lib/auth/auth-manager.js';
 import { getSession } from '../../../../middleware/auth.js';
+import { CLERK_ISSUER, CLERK_JWKS_URL, getOAuthRuntimeConfig, } from '../../../../config/oauth.js';
+import { verifyClerkToken } from '../../../../lib/auth/clerk-verifier.js';
 const auth = new Hono();
 /**
  * POST /api/v1/auth/login
@@ -209,11 +211,21 @@ auth.get('/status', async (c) => {
                 },
             };
         }
+        const oauth = getOAuthRuntimeConfig();
+        const oauthInfo = oauth.enabled && oauth.clientId
+            ? {
+                enabled: true,
+                clientId: oauth.clientId,
+                issuer: CLERK_ISSUER,
+                jwksUrl: CLERK_JWKS_URL,
+            }
+            : { enabled: false };
         return c.json({
             success: true,
             data: {
                 enabled: authEnabled,
                 config,
+                oauth: oauthInfo,
             },
         });
     }
@@ -223,8 +235,90 @@ auth.get('/status', async (c) => {
             success: true,
             data: {
                 enabled: false,
+                oauth: { enabled: false },
             },
         });
     }
 });
+/**
+ * POST /api/v1/auth/oauth/exchange
+ * Exchange a verified Clerk id_token for a local nut-session cookie.
+ *
+ * The SPA handles the PKCE code-for-token exchange against Clerk directly,
+ * then POSTs the resulting id_token here. We verify it via Clerk's JWKS
+ * (issuer + this coconut's client_id as audience), then mint a local HS256
+ * session JWT and set it as the standard session cookie. Downstream auth
+ * flows are unchanged from this point on.
+ *
+ * id_token (OIDC) is used rather than access_token because identity claims
+ * (`sub`, `email`, `name`) live there; access_token carries API authorization
+ * for calling Clerk on the user's behalf and has a different claim set.
+ */
+auth.post('/oauth/exchange', async (c) => {
+    try {
+        const oauth = getOAuthRuntimeConfig();
+        if (!oauth.enabled || !oauth.clientId) {
+            return c.json({ success: false, error: 'OAuth is not enabled on this coconut' }, 400);
+        }
+        const body = await c.req
+            .json()
+            .catch(() => ({}));
+        const idToken = body.idToken;
+        if (!idToken || typeof idToken !== 'string') {
+            return c.json({ success: false, error: 'idToken is required' }, 400);
+        }
+        const verified = await verifyClerkToken(idToken, {
+            audience: oauth.clientId,
+        });
+        if (!verified) {
+            return c.json({ success: false, error: 'Invalid or expired OAuth token' }, 401);
+        }
+        const { payload } = verified;
+        const sub = typeof payload.sub === 'string' ? payload.sub : '';
+        const email = typeof payload.email === 'string' ? payload.email : '';
+        const name = typeof payload.name === 'string'
+            ? payload.name
+            : (email ? email.split('@')[0] : 'Coconut User');
+        if (!sub || !email) {
+            return c.json({ success: false, error: 'OAuth token missing required claims (sub/email)' }, 401);
+        }
+        const authManager = getAuthManager();
+        const config = await authManager.loadAuthConfig();
+        // Mint a local session JWT so the existing cookie path remains unchanged.
+        // OAuth sessions are always 'viewer' - admin role is reserved for
+        // locally-managed users.
+        const localUserShape = {
+            id: sub,
+            email,
+            name,
+            role: 'viewer',
+            registered: true,
+            createdAt: new Date(),
+            updatedAt: new Date(),
+        };
+        const token = await authManager.generateToken(localUserShape, 'oauth');
+        setCookie(c, config.session.cookieName, token, {
+            httpOnly: true,
+            secure: config.session.secure || false,
+            sameSite: 'Lax',
+            maxAge: authManager['parseExpiry'](config.session.expiresIn),
+            path: '/',
+        });
+        return c.json({
+            success: true,
+            data: {
+                user: {
+                    id: sub,
+                    email,
+                    name,
+                    role: 'viewer',
+                },
+            },
+        });
+    }
+    catch (error) {
+        console.error('OAuth exchange error:', error);
+        return c.json({ success: false, error: 'OAuth exchange failed' }, 500);
+    }
+});
 export default auth;

package/dist/routes/api/v1/auth-settings/route.js CHANGED Viewed

@@ -1,6 +1,7 @@
 import { Hono } from 'hono';
 import { getAuthManager } from '../../../../lib/auth/auth-manager.js';
 import { requireAdmin } from '../../../../middleware/auth.js';
+import { CLERK_ISSUER, CLERK_JWKS_URL, oauthRuntimeFromAuthConfig, setOAuthRuntimeConfig, } from '../../../../config/oauth.js';
 const authSettings = new Hono();
 /**
  * GET /api/v1/auth-settings
@@ -52,6 +53,17 @@ authSettings.get('/', async (c) => {
                                 callbackUrl: config.providers.oauth.github.callbackUrl,
                             }
                             : undefined,
+                        // Coconut OAuth: clientId is not a secret (it's the public
+                        // OAuth client_id used in the authorize URL), so we return it in
+                        // full so admins can verify it in the UI.
+                        coconut: config.providers.oauth.coconut
+                            ? {
+                                enabled: config.providers.oauth.coconut.enabled,
+                                clientId: config.providers.oauth.coconut.clientId,
+                                issuer: CLERK_ISSUER,
+                                jwksUrl: CLERK_JWKS_URL,
+                            }
+                            : undefined,
                     },
                 },
                 session: {
@@ -220,15 +232,84 @@ authSettings.delete('/users/:id', async (c) => {
         return c.json({ success: false, error: error.message || 'Failed to remove user' }, error.message === 'Admin access required' ? 403 : 400);
     }
 });
+/**
+ * PUT /api/v1/auth-settings/oauth/coconut
+ * Admin-only: toggle Coconut OAuth and/or update its client ID. Persists to
+ * auth.json and immediately refreshes the OAuth runtime cache so the change
+ * takes effect on the very next request (no server restart required).
+ *
+ * Request body:
+ *   { enabled: boolean, clientId?: string }
+ *
+ * Rules:
+ *   - If `enabled: true` and no clientId is supplied AND none is already
+ *     persisted, responds 400 with an actionable message.
+ *   - If `enabled: false`, clientId (if any) is preserved so the admin can
+ *     toggle back on later without re-entering it.
+ */
+authSettings.put('/oauth/coconut', async (c) => {
+    try {
+        requireAdmin(c);
+        const authManager = getAuthManager();
+        const body = await c.req
+            .json()
+            .catch(() => ({}));
+        if (typeof body.enabled !== 'boolean') {
+            return c.json({ success: false, error: '`enabled` (boolean) is required' }, 400);
+        }
+        // Resolve the effective clientId: explicit > previously-persisted.
+        let clientId = typeof body.clientId === 'string' ? body.clientId.trim() : undefined;
+        if (!clientId) {
+            const existing = await authManager.loadAuthConfig().catch(() => null);
+            clientId = existing?.providers.oauth.coconut?.clientId;
+        }
+        if (body.enabled && !clientId) {
+            return c.json({
+                success: false,
+                error: 'Coconut OAuth cannot be enabled without a client ID. Provide `clientId` in the request body, ' +
+                    'or run `nut init --oauth-client-id <id>` to seed it.',
+            }, 400);
+        }
+        const updated = await authManager.upsertCoconutOAuth({
+            enabled: body.enabled,
+            clientId,
+        });
+        // Live-apply so the next request hits the new state.
+        setOAuthRuntimeConfig(oauthRuntimeFromAuthConfig(updated));
+        return c.json({
+            success: true,
+            data: {
+                coconut: {
+                    enabled: updated.providers.oauth.coconut?.enabled ?? false,
+                    clientId: updated.providers.oauth.coconut?.clientId,
+                    issuer: CLERK_ISSUER,
+                    jwksUrl: CLERK_JWKS_URL,
+                },
+            },
+        });
+    }
+    catch (error) {
+        console.error('Update Coconut OAuth error:', error);
+        return c.json({ success: false, error: error.message || 'Failed to update Coconut OAuth' }, error.message === 'Admin access required' ? 403 : 500);
+    }
+});
 /**
  * PUT /api/v1/auth-settings/oauth/:provider
- * Configure OAuth provider (admin only)
+ * Configure a third-party OAuth provider (admin only). Coconut OAuth has its
+ * own dedicated route (above) with stricter validation and live runtime
+ * reload, so this handler refuses `coconut` to avoid ambiguity.
  */
 authSettings.put('/oauth/:provider', async (c) => {
     try {
         requireAdmin(c);
-        const authManager = getAuthManager();
         const provider = c.req.param('provider');
+        if (provider === 'coconut') {
+            return c.json({
+                success: false,
+                error: 'Use PUT /auth-settings/oauth/coconut for Coconut OAuth',
+            }, 400);
+        }
+        const authManager = getAuthManager();
         const body = await c.req.json();
         const config = await authManager.loadAuthConfig();
         if (!config.providers.oauth) {

package/dist/routes/api/v1/jobs/[id]/route.d.ts CHANGED Viewed

@@ -9,6 +9,9 @@ export declare function GET(c: Context): Promise<(Response & import("hono").Type
 }, 404, "json">) | (Response & import("hono").TypedResponse<{
     success: true;
     data: {
+        id: string;
+        name: string;
+        status: ScheduledJobStatus;
         schedule: {
             type: "cron";
             expression: string;
@@ -21,9 +24,9 @@ export declare function GET(c: Context): Promise<(Response & import("hono").Type
             timezone?: string;
             anchorHour?: number;
         };
-        status: ScheduledJobStatus;
-        id: string;
-        name: string;
+        description?: string;
+        prompt: string;
+        model: string;
         metadata: {
             createdAt: string;
             updatedAt: string;
@@ -31,19 +34,16 @@ export declare function GET(c: Context): Promise<(Response & import("hono").Type
             nextRunAt?: string;
         };
         tags?: string[];
-        description?: string;
-        model: string;
-        prompt: string;
-        mcpServers?: string[];
         contextPaths?: string[];
         agentId?: string;
         agentIds?: string[];
+        mcpServers?: string[];
         runs: {
+            id: string;
+            error?: string;
+            status: import("@lovelybunch/types").ScheduledJobRunStatus;
             jobId: string;
             trigger: import("@lovelybunch/types").ScheduledJobTrigger;
-            status: import("@lovelybunch/types").ScheduledJobRunStatus;
-            error?: string;
-            id: string;
             startedAt: string;
             finishedAt?: string;
         }[];
@@ -70,6 +70,9 @@ export declare function PATCH(c: Context): Promise<(Response & import("hono").Ty
 }, 400, "json">) | (Response & import("hono").TypedResponse<{
     success: true;
     data: {
+        id: string;
+        name: string;
+        status: ScheduledJobStatus;
         schedule: {
             type: "cron";
             expression: string;
@@ -82,9 +85,9 @@ export declare function PATCH(c: Context): Promise<(Response & import("hono").Ty
             timezone?: string;
             anchorHour?: number;
         };
-        status: ScheduledJobStatus;
-        id: string;
-        name: string;
+        description?: string;
+        prompt: string;
+        model: string;
         metadata: {
             createdAt: string;
             updatedAt: string;
@@ -92,19 +95,16 @@ export declare function PATCH(c: Context): Promise<(Response & import("hono").Ty
             nextRunAt?: string;
         };
         tags?: string[];
-        description?: string;
-        model: string;
-        prompt: string;
-        mcpServers?: string[];
         contextPaths?: string[];
         agentId?: string;
         agentIds?: string[];
+        mcpServers?: string[];
         runs: {
+            id: string;
+            error?: string;
+            status: import("@lovelybunch/types").ScheduledJobRunStatus;
             jobId: string;
             trigger: import("@lovelybunch/types").ScheduledJobTrigger;
-            status: import("@lovelybunch/types").ScheduledJobRunStatus;
-            error?: string;
-            id: string;
             startedAt: string;
             finishedAt?: string;
         }[];