npm - @calltelemetry/openclaw-linear - Versions diffs - 0.8.8 → 0.9.0 - Mend

@calltelemetry/openclaw-linear 0.8.8 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (36) hide show

package/README.md +194 -91
package/index.ts +36 -4
package/package.json +1 -1
package/src/__test__/webhook-scenarios.test.ts +1 -1
package/src/gateway/dispatch-methods.test.ts +9 -9
package/src/infra/commands.test.ts +5 -5
package/src/infra/config-paths.test.ts +246 -0
package/src/infra/doctor.ts +45 -36
package/src/infra/notify.test.ts +49 -0
package/src/infra/notify.ts +7 -2
package/src/infra/observability.ts +1 -0
package/src/infra/shared-profiles.test.ts +262 -0
package/src/infra/shared-profiles.ts +116 -0
package/src/infra/template.test.ts +86 -0
package/src/infra/template.ts +18 -0
package/src/infra/validation.test.ts +175 -0
package/src/infra/validation.ts +52 -0
package/src/pipeline/active-session.test.ts +2 -2
package/src/pipeline/agent-end-hook.test.ts +305 -0
package/src/pipeline/artifacts.test.ts +3 -3
package/src/pipeline/dispatch-state.test.ts +111 -8
package/src/pipeline/dispatch-state.ts +48 -13
package/src/pipeline/e2e-dispatch.test.ts +2 -2
package/src/pipeline/intent-classify.test.ts +20 -2
package/src/pipeline/intent-classify.ts +14 -24
package/src/pipeline/pipeline.ts +28 -11
package/src/pipeline/planner.ts +1 -8
package/src/pipeline/planning-state.ts +9 -0
package/src/pipeline/tier-assess.test.ts +39 -39
package/src/pipeline/tier-assess.ts +15 -33
package/src/pipeline/webhook.test.ts +149 -1
package/src/pipeline/webhook.ts +90 -62
package/src/tools/dispatch-history-tool.test.ts +21 -20
package/src/tools/dispatch-history-tool.ts +1 -1
package/src/tools/linear-issues-tool.test.ts +115 -0
package/src/tools/linear-issues-tool.ts +25 -0

package/src/tools/linear-issues-tool.test.ts CHANGED Viewed

@@ -45,6 +45,7 @@ vi.mock("../api/linear-api.js", () => ({
 }));
 import { createLinearIssuesTool } from "./linear-issues-tool.js";
+import { isValidIssueId as isValidLinearId } from "../infra/validation.js";
 // ---------------------------------------------------------------------------
 // Helpers
@@ -91,6 +92,55 @@ beforeEach(() => {
   });
 });
+describe("isValidLinearId", () => {
+  it("accepts TEAM-123 format identifiers", () => {
+    expect(isValidLinearId("ENG-123")).toBe(true);
+    expect(isValidLinearId("API-1")).toBe(true);
+    expect(isValidLinearId("CT-42")).toBe(true);
+    expect(isValidLinearId("A-1")).toBe(true);
+    expect(isValidLinearId("Team2-999")).toBe(true);
+  });
+  it("accepts UUID format identifiers", () => {
+    expect(isValidLinearId("550e8400-e29b-41d4-a716-446655440000")).toBe(true);
+    expect(isValidLinearId("08cba264-d774-4afd-bc93-ee8213d12ef8")).toBe(true);
+    expect(isValidLinearId("ABCDEF01-2345-6789-ABCD-EF0123456789")).toBe(true);
+  });
+  it("rejects empty strings", () => {
+    expect(isValidLinearId("")).toBe(false);
+  });
+  it("rejects SQL injection attempts", () => {
+    expect(isValidLinearId("ENG-123'; DROP TABLE issues; --")).toBe(false);
+    expect(isValidLinearId("' OR 1=1 --")).toBe(false);
+  });
+  it("rejects GraphQL injection attempts", () => {
+    expect(isValidLinearId('{ __schema { types { name } } }')).toBe(false);
+    expect(isValidLinearId("ENG-123\n{malicious}")).toBe(false);
+  });
+  it("rejects path traversal", () => {
+    expect(isValidLinearId("../../../etc/passwd")).toBe(false);
+    expect(isValidLinearId("..\\..\\..\\windows")).toBe(false);
+  });
+  it("rejects strings that look like IDs but have extra characters", () => {
+    expect(isValidLinearId("ENG-123-extra")).toBe(false);
+    expect(isValidLinearId("-123")).toBe(false);
+    expect(isValidLinearId("123-ENG")).toBe(false);
+    expect(isValidLinearId("ENG-")).toBe(false);
+    expect(isValidLinearId("ENG")).toBe(false);
+  });
+  it("rejects UUIDs with wrong format", () => {
+    expect(isValidLinearId("550e8400-e29b-41d4-a716")).toBe(false);
+    expect(isValidLinearId("not-a-uuid-at-all-nope")).toBe(false);
+    expect(isValidLinearId("550e8400e29b41d4a716446655440000")).toBe(false); // missing dashes
+  });
+});
 describe("linear_issues tool", () => {
   describe("read action", () => {
     it("returns formatted issue details", async () => {
@@ -427,6 +477,71 @@ describe("linear_issues tool", () => {
     });
   });
+  describe("input validation", () => {
+    it("rejects invalid issueId format on read", async () => {
+      const result = parseResult(await executeTool({ action: "read", issueId: "'; DROP TABLE --" }));
+      expect(result.error).toMatch(/Invalid issueId format/);
+      expect(mockGetIssueDetails).not.toHaveBeenCalled();
+    });
+    it("rejects invalid issueId format on update", async () => {
+      const result = parseResult(await executeTool({ action: "update", issueId: "bad id!", status: "Done" }));
+      expect(result.error).toMatch(/Invalid issueId format/);
+      expect(mockGetIssueDetails).not.toHaveBeenCalled();
+    });
+    it("rejects invalid issueId format on comment", async () => {
+      const result = parseResult(await executeTool({ action: "comment", issueId: "{graphql}", body: "test" }));
+      expect(result.error).toMatch(/Invalid issueId format/);
+      expect(mockCreateComment).not.toHaveBeenCalled();
+    });
+    it("rejects invalid teamId format on create", async () => {
+      const result = parseResult(await executeTool({ action: "create", title: "Test", teamId: "invalid team!" }));
+      expect(result.error).toMatch(/Invalid teamId format/);
+      expect(mockCreateIssue).not.toHaveBeenCalled();
+    });
+    it("rejects invalid parentIssueId format on create", async () => {
+      const result = parseResult(await executeTool({ action: "create", title: "Test", parentIssueId: "not/valid" }));
+      expect(result.error).toMatch(/Invalid parentIssueId format/);
+      expect(mockGetIssueDetails).not.toHaveBeenCalled();
+    });
+    it("rejects invalid projectId format on create", async () => {
+      const result = parseResult(await executeTool({ action: "create", title: "Test", teamId: "team-1", projectId: "bad project" }));
+      expect(result.error).toMatch(/Invalid projectId format/);
+      expect(mockCreateIssue).not.toHaveBeenCalled();
+    });
+    it("rejects invalid teamId format on list_states", async () => {
+      const result = parseResult(await executeTool({ action: "list_states", teamId: "../../../etc/passwd" }));
+      expect(result.error).toMatch(/Invalid teamId format/);
+      expect(mockGetTeamStates).not.toHaveBeenCalled();
+    });
+    it("rejects invalid teamId format on list_labels", async () => {
+      const result = parseResult(await executeTool({ action: "list_labels", teamId: "' OR 1=1" }));
+      expect(result.error).toMatch(/Invalid teamId format/);
+      expect(mockGetTeamLabels).not.toHaveBeenCalled();
+    });
+    it("accepts valid TEAM-123 issueId", async () => {
+      mockGetIssueDetails.mockResolvedValueOnce(makeIssueDetails());
+      const result = parseResult(await executeTool({ action: "read", issueId: "ENG-123" }));
+      expect(result.error).toBeUndefined();
+      expect(mockGetIssueDetails).toHaveBeenCalledWith("ENG-123");
+    });
+    it("accepts valid UUID issueId", async () => {
+      const uuid = "08cba264-d774-4afd-bc93-ee8213d12ef8";
+      mockGetIssueDetails.mockResolvedValueOnce(makeIssueDetails());
+      const result = parseResult(await executeTool({ action: "read", issueId: uuid }));
+      expect(result.error).toBeUndefined();
+      expect(mockGetIssueDetails).toHaveBeenCalledWith(uuid);
+    });
+  });
   describe("error handling", () => {
     it("returns error when no token available", async () => {
       mockResolveLinearToken.mockReturnValueOnce({

package/src/tools/linear-issues-tool.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import type { AnyAgentTool, OpenClawPluginApi } from "openclaw/plugin-sdk";
 import { jsonResult } from "openclaw/plugin-sdk";
 import { LinearAgentApi, resolveLinearToken } from "../api/linear-api.js";
+import { isValidIssueId as isValidLinearId } from "../infra/validation.js";
 type Action = "read" | "create" | "update" | "comment" | "list_states" | "list_labels";
@@ -38,6 +39,9 @@ async function handleRead(api: LinearAgentApi, params: ToolParams) {
   if (!params.issueId) {
     return jsonResult({ error: "issueId is required for action='read'" });
   }
+  if (!isValidLinearId(params.issueId)) {
+    return jsonResult({ error: `Invalid issueId format: "${params.issueId}". Expected TEAM-123 or UUID.` });
+  }
   const issue = await api.getIssueDetails(params.issueId);
   return jsonResult({
     identifier: issue.identifier,
@@ -69,6 +73,15 @@ async function handleCreate(api: LinearAgentApi, params: ToolParams) {
   if (!params.title) {
     return jsonResult({ error: "title is required for action='create'" });
   }
+  if (params.teamId && !isValidLinearId(params.teamId)) {
+    return jsonResult({ error: `Invalid teamId format: "${params.teamId}". Expected TEAM-123 or UUID.` });
+  }
+  if (params.parentIssueId && !isValidLinearId(params.parentIssueId)) {
+    return jsonResult({ error: `Invalid parentIssueId format: "${params.parentIssueId}". Expected TEAM-123 or UUID.` });
+  }
+  if (params.projectId && !isValidLinearId(params.projectId)) {
+    return jsonResult({ error: `Invalid projectId format: "${params.projectId}". Expected TEAM-123 or UUID.` });
+  }
   // Resolve teamId: explicit param, or derive from parent issue
   let teamId = params.teamId;
@@ -133,6 +146,9 @@ async function handleUpdate(api: LinearAgentApi, params: ToolParams) {
   if (!params.issueId) {
     return jsonResult({ error: "issueId is required for action='update'" });
   }
+  if (!isValidLinearId(params.issueId)) {
+    return jsonResult({ error: `Invalid issueId format: "${params.issueId}". Expected TEAM-123 or UUID.` });
+  }
   const hasFields = params.status || params.priority != null || params.estimate != null || params.labels || params.title;
   if (!hasFields) {
@@ -209,6 +225,9 @@ async function handleComment(api: LinearAgentApi, params: ToolParams) {
   if (!params.issueId) {
     return jsonResult({ error: "issueId is required for action='comment'" });
   }
+  if (!isValidLinearId(params.issueId)) {
+    return jsonResult({ error: `Invalid issueId format: "${params.issueId}". Expected TEAM-123 or UUID.` });
+  }
   if (!params.body) {
     return jsonResult({ error: "body is required for action='comment'" });
   }
@@ -220,6 +239,9 @@ async function handleListStates(api: LinearAgentApi, params: ToolParams) {
   if (!params.teamId) {
     return jsonResult({ error: "teamId is required for action='list_states'" });
   }
+  if (!isValidLinearId(params.teamId)) {
+    return jsonResult({ error: `Invalid teamId format: "${params.teamId}". Expected TEAM-123 or UUID.` });
+  }
   const states = await api.getTeamStates(params.teamId);
   return jsonResult({ states });
 }
@@ -228,6 +250,9 @@ async function handleListLabels(api: LinearAgentApi, params: ToolParams) {
   if (!params.teamId) {
     return jsonResult({ error: "teamId is required for action='list_labels'" });
   }
+  if (!isValidLinearId(params.teamId)) {
+    return jsonResult({ error: `Invalid teamId format: "${params.teamId}". Expected TEAM-123 or UUID.` });
+  }
   const labels = await api.getTeamLabels(params.teamId);
   return jsonResult({ labels });
 }