@andypai/agent-kanban 0.3.5 → 0.3.7

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@andypai/agent-kanban",
-  "version": "0.3.5",
+  "version": "0.3.7",
   "description": "Agent-friendly kanban board CLI. Manage tasks via bash commands, parse structured JSON output.",
   "homepage": "https://github.com/abpai/agent-kanban#readme",
   "repository": {

package/src/__tests__/jira-adf.test.ts

@@ -181,6 +181,13 @@ describe('plainTextToAdf / adfToPlainText', () => {
     expect(adfToPlainText(doc)).toBe('before\n\nafter')
   })
 
+  test('Jira webhook plain string descriptions pass through unchanged', () => {
+    const description =
+      '*Repo:* https://github.com/abpai/smoke-test\n\nPlease make one minimal change.'
+
+    expect(adfToPlainText(description)).toBe(description)
+  })
+
   test('strong + link marks survive on read as markdown', () => {
     const doc: AdfDocument = {
       version: 1,

package/src/__tests__/webhooks.test.ts

@@ -1,7 +1,7 @@
 import { beforeEach, afterEach, describe, expect, test } from 'bun:test'
 import { Database } from 'bun:sqlite'
 import { createHmac } from 'node:crypto'
-import { verifyHmacSha256 } from '../webhooks'
+import { verifyHmacSha256, verifySha256HmacSignatureHeader } from '../webhooks'
 import { JiraProvider, type JiraProviderConfig } from '../providers/jira'
 import { JiraClient } from '../providers/jira-client'
 import { LinearProvider } from '../providers/linear'
@@ -57,6 +57,20 @@ describe('verifyHmacSha256', () => {
   })
 })
 
+describe('verifySha256HmacSignatureHeader', () => {
+  test('accepts Jira WebSub-style sha256 signatures', () => {
+    const body = '{"hello":"world"}'
+    const sig = hmac('s3cr3t', body)
+    expect(verifySha256HmacSignatureHeader('s3cr3t', body, `sha256=${sig}`)).toBe(true)
+  })
+
+  test('rejects missing method prefix', () => {
+    const body = '{"hello":"world"}'
+    const sig = hmac('s3cr3t', body)
+    expect(verifySha256HmacSignatureHeader('s3cr3t', body, sig)).toBe(false)
+  })
+})
+
 const jiraConfig: JiraProviderConfig = {
   baseUrl: 'https://example.atlassian.net',
   email: 'u@example.com',
@@ -125,6 +139,45 @@ describe('Jira webhook', () => {
     expect(tasks.find((t) => t.externalRef === 'ENG-100')?.title).toBe('New issue')
   })
 
+  test('issue_created accepts Jira webhook string descriptions', async () => {
+    const db = new Database(':memory:')
+    seedJira(db)
+    delete process.env['JIRA_WEBHOOK_SECRET']
+    const client = new JiraClient({
+      baseUrl: jiraConfig.baseUrl,
+      email: jiraConfig.email,
+      apiToken: jiraConfig.apiToken,
+    })
+    const provider = new JiraProvider(db, jiraConfig, client)
+    const description = '*Repo:* https://github.com/abpai/smoke-test\n\nString webhook body.'
+    const body = JSON.stringify({
+      webhookEvent: 'jira:issue_created',
+      issue: {
+        id: '101',
+        key: 'ENG-101',
+        fields: {
+          summary: 'String description issue',
+          description,
+          status: { id: '1', name: 'To Do' },
+          issuetype: { id: '10000', name: 'Task' },
+          assignee: null,
+          labels: ['alpha'],
+          comment: { total: 0 },
+          created: '2025-02-01T00:00:00.000Z',
+          updated: '2025-02-01T00:00:00.000Z',
+          project: { id: '1', key: 'ENG' },
+        },
+      },
+    })
+
+    const result = await provider.handleWebhook({ headers: {}, rawBody: body })
+
+    expect(result.handled).toBe(true)
+    expect(getCachedJiraTasks(db).find((t) => t.externalRef === 'ENG-101')?.description).toBe(
+      description,
+    )
+  })
+
   test('issue_deleted removes the task', async () => {
     const db = new Database(':memory:')
     seedJira(db)
@@ -181,7 +234,7 @@ describe('Jira webhook', () => {
       issue: { id: '300', key: 'ENG-300', fields: {} },
     })
     const result = await provider.handleWebhook({
-      headers: { 'x-hub-signature-256': 'sha256=deadbeef' },
+      headers: { 'x-hub-signature': 'sha256=deadbeef' },
       rawBody: body,
     })
     expect(result.unauthorized).toBe(true)
@@ -214,12 +267,34 @@ describe('Jira webhook', () => {
     })
     const sig = hmac('topsecret', body)
     const result = await provider.handleWebhook({
-      headers: { 'x-hub-signature-256': sig },
+      headers: { 'x-hub-signature': `sha256=${sig}` },
       rawBody: body,
     })
     expect(result.handled).toBe(true)
   })
 
+  test('rejects the old custom x-hub-signature-256 header when secret is configured', async () => {
+    const db = new Database(':memory:')
+    seedJira(db)
+    process.env['JIRA_WEBHOOK_SECRET'] = 'topsecret'
+    const client = new JiraClient({
+      baseUrl: jiraConfig.baseUrl,
+      email: jiraConfig.email,
+      apiToken: jiraConfig.apiToken,
+    })
+    const provider = new JiraProvider(db, jiraConfig, client)
+    const body = JSON.stringify({
+      webhookEvent: 'jira:issue_created',
+      issue: { id: '401', key: 'ENG-401', fields: {} },
+    })
+    const sig = hmac('topsecret', body)
+    const result = await provider.handleWebhook({
+      headers: { 'x-hub-signature-256': `sha256=${sig}` },
+      rawBody: body,
+    })
+    expect(result.unauthorized).toBe(true)
+  })
+
   test('ignores issue updates from other projects', async () => {
     const db = new Database(':memory:')
     seedJira(db)

package/src/providers/jira-adf.ts

@@ -434,6 +434,8 @@ function renderBlocks(nodes: AdfBlockNode[]): string {
   return out.join('\n\n')
 }
 
-export function adfToPlainText(doc: AdfDocument): string {
+export function adfToPlainText(doc: AdfDocument | string | null | undefined): string {
+  if (typeof doc === 'string') return doc
+  if (!doc || !Array.isArray(doc.content)) return ''
   return renderBlocks(doc.content)
 }

package/src/providers/jira.ts

@@ -11,7 +11,12 @@ import type {
   TaskComment,
   Task,
 } from '../types'
-import { headerLower, verifyHmacSha256, type WebhookRequest, type WebhookResult } from '../webhooks'
+import {
+  headerLower,
+  verifySha256HmacSignatureHeader,
+  type WebhookRequest,
+  type WebhookResult,
+} from '../webhooks'
 import { adfToPlainText, plainTextToAdf, type AdfDocument } from './jira-adf'
 import { JIRA_CAPABILITIES } from './capabilities'
 import { providerUpstreamError, unsupportedOperation } from './errors'
@@ -712,8 +717,8 @@ export class JiraProvider implements KanbanProvider {
   async handleWebhook(payload: WebhookRequest): Promise<WebhookResult> {
     const secret = process.env['JIRA_WEBHOOK_SECRET']
     if (secret) {
-      const sig = headerLower(payload.headers, 'x-hub-signature-256')
-      if (!verifyHmacSha256(secret, payload.rawBody, sig)) {
+      const sig = headerLower(payload.headers, 'x-hub-signature')
+      if (!verifySha256HmacSignatureHeader(secret, payload.rawBody, sig)) {
         return { handled: false, unauthorized: true, message: 'Invalid signature' }
       }
     }

package/src/providers/postgres-jira.ts

@@ -28,7 +28,12 @@ import type {
   UpdateTaskInput,
 } from './types'
 import { DEFAULT_POLLING_SYNC_INTERVAL_MS } from '../sync-config'
-import { headerLower, verifyHmacSha256, type WebhookRequest, type WebhookResult } from '../webhooks'
+import {
+  headerLower,
+  verifySha256HmacSignatureHeader,
+  type WebhookRequest,
+  type WebhookResult,
+} from '../webhooks'
 
 const FULL_RECONCILE_INTERVAL_MS = 5 * 60_000
 
@@ -1124,8 +1129,8 @@ export class PostgresJiraProvider implements KanbanProvider {
   async handleWebhook(payload: WebhookRequest): Promise<WebhookResult> {
     const secret = process.env['JIRA_WEBHOOK_SECRET']
     if (secret) {
-      const sig = headerLower(payload.headers, 'x-hub-signature-256')
-      if (!verifyHmacSha256(secret, payload.rawBody, sig)) {
+      const sig = headerLower(payload.headers, 'x-hub-signature')
+      if (!verifySha256HmacSignatureHeader(secret, payload.rawBody, sig)) {
         return { handled: false, unauthorized: true, message: 'Invalid signature' }
       }
     }

package/src/webhooks.ts

@@ -27,6 +27,20 @@ export function verifyHmacSha256(
   return timingSafeEqual(macBuf, expBuf)
 }
 
+export function verifySha256HmacSignatureHeader(
+  secret: string,
+  rawBody: string,
+  providedSignature: string | undefined | null,
+): boolean {
+  if (!providedSignature) return false
+  const eq = providedSignature.indexOf('=')
+  if (eq === -1) return false
+  const method = providedSignature.slice(0, eq).toLowerCase()
+  const signature = providedSignature.slice(eq + 1)
+  if (method !== 'sha256') return false
+  return verifyHmacSha256(secret, rawBody, signature)
+}
+
 export function headerLower(headers: Record<string, string>, name: string): string | undefined {
   const target = name.toLowerCase()
   for (const [k, v] of Object.entries(headers)) {