npm - @desplega.ai/agent-swarm - Versions diffs - 1.71.0 → 1.71.1 - Mend

@desplega.ai/agent-swarm 1.71.0 → 1.71.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/openapi.json +43 -1
package/package.json +1 -1
package/src/http/trackers/jira.ts +73 -9
package/src/http/trackers/linear.ts +47 -4
package/src/http/utils.ts +27 -0
package/src/jira/app.ts +18 -0
package/src/jira/metadata.ts +13 -0
package/src/linear/app.ts +17 -0
package/src/linear/oauth.ts +24 -0

package/openapi.json CHANGED Viewed

@@ -2,7 +2,7 @@
   "openapi": "3.1.0",
   "info": {
     "title": "Agent Swarm API",
-    "version": "1.71.0",
+    "version": "1.71.1",
     "description": "Multi-agent orchestration API for Claude Code, Codex, and Gemini CLI. Enables task distribution, agent communication, and service discovery.\n\nMCP tools are documented separately in [MCP.md](./MCP.md)."
   },
   "servers": [
@@ -6392,6 +6392,27 @@
         }
       }
     },
+    "/api/trackers/jira/disconnect": {
+      "delete": {
+        "summary": "Fully disconnect Jira: delete all webhooks, drop tokens, clear metadata",
+        "tags": [
+          "Trackers"
+        ],
+        "security": [
+          {
+            "bearerAuth": []
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Disconnected"
+          },
+          "503": {
+            "description": "Jira not configured"
+          }
+        }
+      }
+    },
     "/api/trackers/linear/authorize": {
       "get": {
         "summary": "Redirect to Linear OAuth consent screen",
@@ -6488,6 +6509,27 @@
         }
       }
     },
+    "/api/trackers/linear/disconnect": {
+      "delete": {
+        "summary": "Fully disconnect Linear: revoke OAuth grant + drop tokens",
+        "tags": [
+          "Trackers"
+        ],
+        "security": [
+          {
+            "bearerAuth": []
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Disconnected"
+          },
+          "503": {
+            "description": "Linear not configured"
+          }
+        }
+      }
+    },
     "/api/github/webhook": {
       "post": {
         "summary": "Handle GitHub webhook events",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@desplega.ai/agent-swarm",
-  "version": "1.71.0",
+  "version": "1.71.1",
   "description": "Multi-agent orchestration for Claude Code, Codex, Gemini CLI, and other AI coding assistants",
   "license": "MIT",
   "author": "desplega.sh <contact@desplega.sh>",

package/src/http/trackers/jira.ts CHANGED Viewed

@@ -1,13 +1,13 @@
 import type { IncomingMessage, ServerResponse } from "node:http";
 import { z } from "zod";
-import { getOAuthTokens } from "../../be/db-queries/oauth";
+import { deleteOAuthTokens, getOAuthTokens } from "../../be/db-queries/oauth";
 import { isJiraEnabled } from "../../jira/app";
-import { getJiraMetadata } from "../../jira/metadata";
+import { clearJiraMetadata, getJiraMetadata } from "../../jira/metadata";
 import { getJiraAuthorizationUrl, handleJiraCallback } from "../../jira/oauth";
 import { handleJiraWebhook } from "../../jira/webhook";
 import { deleteJiraWebhook, registerJiraWebhook } from "../../jira/webhook-lifecycle";
 import { route } from "../route-def";
-import { parseQueryParams } from "../utils";
+import { deriveApiBaseUrl, parseQueryParams } from "../utils";
 const MANUAL_WEBHOOK_INSTRUCTIONS =
   "See docs-site/.../guides/jira-integration.mdx for manual webhook registration steps.";
@@ -112,15 +112,31 @@ const jiraWebhookDelete = route({
   },
 });
+// Admin: full disconnect — delete all registered Atlassian webhooks, drop
+// stored OAuth tokens, and clear cloudId/siteUrl/webhookIds metadata. Atlassian
+// 3LO has no public token revocation endpoint, so the OAuth grant itself must
+// be revoked by the user via id.atlassian.com → Connected apps.
+const jiraDisconnect = route({
+  method: "delete",
+  path: "/api/trackers/jira/disconnect",
+  pattern: ["api", "trackers", "jira", "disconnect"],
+  summary: "Fully disconnect Jira: delete all webhooks, drop tokens, clear metadata",
+  tags: ["Trackers"],
+  responses: {
+    200: { description: "Disconnected" },
+    503: { description: "Jira not configured" },
+  },
+});
 // ─── Helpers ─────────────────────────────────────────────────────────────────
-function getWebhookBaseUrl(): string {
-  return process.env.MCP_BASE_URL || `http://localhost:${process.env.PORT || "3013"}`;
+function getWebhookUrl(req: IncomingMessage): string {
+  const token = process.env.JIRA_WEBHOOK_TOKEN ?? "<unset>";
+  return `${deriveApiBaseUrl(req)}/api/trackers/jira/webhook/${token}`;
 }
-function getWebhookUrl(): string {
-  const token = process.env.JIRA_WEBHOOK_TOKEN ?? "<unset>";
-  return `${getWebhookBaseUrl()}/api/trackers/jira/webhook/${token}`;
+function getRedirectUri(req: IncomingMessage): string {
+  return `${deriveApiBaseUrl(req)}/api/trackers/jira/callback`;
 }
 // ─── Handler ─────────────────────────────────────────────────────────────────
@@ -218,7 +234,8 @@ export async function handleJiraTracker(
       scope,
       hasManageWebhookScope,
       webhookTokenConfigured: Boolean(process.env.JIRA_WEBHOOK_TOKEN),
-      webhookUrl: getWebhookUrl(),
+      webhookUrl: getWebhookUrl(req),
+      redirectUri: getRedirectUri(req),
       webhookIds: meta.webhookIds ?? [],
     };
@@ -327,5 +344,52 @@ export async function handleJiraTracker(
     return true;
   }
+  // DELETE /api/trackers/jira/disconnect — full cleanup.
+  if (jiraDisconnect.match(req.method, pathSegments)) {
+    if (!isJiraEnabled()) {
+      res.writeHead(503, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Jira integration not configured" }));
+      return true;
+    }
+    const meta = getJiraMetadata();
+    const ids = (meta.webhookIds ?? []).map((entry) => entry.id);
+    let webhooksDeleted = 0;
+    const webhookFailures: Array<{ id: number; error: string }> = [];
+    for (const id of ids) {
+      try {
+        await deleteJiraWebhook(id);
+        webhooksDeleted++;
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        console.warn(`[Jira] Disconnect: webhook delete failed (id=${id}): ${message}`);
+        webhookFailures.push({ id, error: message });
+      }
+    }
+    deleteOAuthTokens("jira");
+    clearJiraMetadata();
+    console.log(
+      `[Jira] Disconnected: ${webhooksDeleted}/${ids.length} webhooks deleted, tokens cleared, metadata reset`,
+    );
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(
+      JSON.stringify({
+        disconnected: true,
+        webhooksDeleted,
+        webhooksTotal: ids.length,
+        webhookFailures,
+        // Atlassian 3LO has no token revocation endpoint — surface this so
+        // the UI can prompt the user to revoke the grant manually if desired.
+        revokeNote:
+          "Atlassian OAuth grants must be revoked manually at https://id.atlassian.com/manage/connected-apps if you want to fully sever the consent.",
+      }),
+    );
+    return true;
+  }
   return false;
 }

package/src/http/trackers/linear.ts CHANGED Viewed

@@ -1,11 +1,15 @@
 import type { IncomingMessage, ServerResponse } from "node:http";
 import { z } from "zod";
-import { getOAuthTokens } from "../../be/db-queries/oauth";
+import { deleteOAuthTokens, getOAuthTokens } from "../../be/db-queries/oauth";
 import { isLinearEnabled } from "../../linear/app";
-import { getLinearAuthorizationUrl, handleLinearCallback } from "../../linear/oauth";
+import {
+  getLinearAuthorizationUrl,
+  handleLinearCallback,
+  revokeLinearToken,
+} from "../../linear/oauth";
 import { handleLinearWebhook } from "../../linear/webhook";
 import { route } from "../route-def";
-import { parseQueryParams } from "../utils";
+import { deriveApiBaseUrl, parseQueryParams } from "../utils";
 // ─── Route Definitions ───────────────────────────────────────────────────────
@@ -67,6 +71,21 @@ const linearWebhook = route({
   },
 });
+// Admin: full disconnect — best-effort revoke the OAuth grant with Linear,
+// then drop stored tokens. Linear webhooks are configured globally on the
+// OAuth app (not per-tenant), so no per-tenant webhook delete is needed.
+const linearDisconnect = route({
+  method: "delete",
+  path: "/api/trackers/linear/disconnect",
+  pattern: ["api", "trackers", "linear", "disconnect"],
+  summary: "Fully disconnect Linear: revoke OAuth grant + drop tokens",
+  tags: ["Trackers"],
+  responses: {
+    200: { description: "Disconnected" },
+    503: { description: "Linear not configured" },
+  },
+});
 // ─── Handler ─────────────────────────────────────────────────────────────────
 export async function handleLinearTracker(
@@ -146,7 +165,7 @@ export async function handleLinearTracker(
     }
     const tokens = getOAuthTokens("linear");
-    const baseUrl = process.env.MCP_BASE_URL || `http://localhost:${process.env.PORT || "3013"}`;
+    const baseUrl = deriveApiBaseUrl(req);
     const status = {
       provider: "linear",
@@ -154,6 +173,7 @@ export async function handleLinearTracker(
       tokenExpiry: tokens?.expiresAt ?? null,
       scope: tokens?.scope ?? null,
       webhookUrl: `${baseUrl}/api/trackers/linear/webhook`,
+      redirectUri: `${baseUrl}/api/trackers/linear/callback`,
     };
     res.writeHead(200, { "Content-Type": "application/json" });
@@ -183,5 +203,28 @@ export async function handleLinearTracker(
     return true;
   }
+  // DELETE /api/trackers/linear/disconnect — full cleanup.
+  if (linearDisconnect.match(req.method, pathSegments)) {
+    if (!isLinearEnabled()) {
+      res.writeHead(503, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Linear integration not configured" }));
+      return true;
+    }
+    const tokens = getOAuthTokens("linear");
+    let revoked = false;
+    if (tokens?.accessToken) {
+      revoked = await revokeLinearToken(tokens.accessToken);
+    }
+    deleteOAuthTokens("linear");
+    console.log(`[Linear] Disconnected: revoke=${revoked}, tokens cleared`);
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ disconnected: true, revoked }));
+    return true;
+  }
   return false;
 }

package/src/http/utils.ts CHANGED Viewed

@@ -57,6 +57,33 @@ export function jsonError(res: ServerResponse, error: string, status = 400) {
   res.end(JSON.stringify({ error }));
 }
+/**
+ * Derive the API base URL for outbound-facing values (webhook URLs, OAuth
+ * redirect URIs). Returns a URL with no trailing slash.
+ *
+ * Resolution order:
+ *   1. `MCP_BASE_URL` env (canonical)
+ *   2. Inbound request host — `X-Forwarded-Proto`/`X-Forwarded-Host` if behind
+ *      a proxy/tunnel (ngrok), else `Host` header. Lets the URL stay correct
+ *      when MCP_BASE_URL is unset and the API is reached via an arbitrary
+ *      external hostname.
+ *   3. `http://localhost:<PORT>` fallback
+ */
+export function deriveApiBaseUrl(req: IncomingMessage): string {
+  const envBase = process.env.MCP_BASE_URL?.trim();
+  if (envBase) return envBase.replace(/\/+$/, "");
+  const fwdProtoRaw = req.headers["x-forwarded-proto"];
+  const fwdHostRaw = req.headers["x-forwarded-host"];
+  const fwdProto = Array.isArray(fwdProtoRaw) ? fwdProtoRaw[0] : fwdProtoRaw;
+  const fwdHost = Array.isArray(fwdHostRaw) ? fwdHostRaw[0] : fwdHostRaw;
+  const proto = fwdProto?.split(",")[0]?.trim() || "http";
+  const host = fwdHost?.split(",")[0]?.trim() || req.headers.host;
+  if (host) return `${proto}://${host}`;
+  return `http://localhost:${process.env.PORT || "3013"}`;
+}
 /**
  * Match a route pattern against HTTP method and path segments.
  *

package/src/jira/app.ts CHANGED Viewed

@@ -60,6 +60,24 @@ export function initJira(): boolean {
   initJiraOutboundSync();
   startJiraWebhookKeepalive();
+  warnIfMcpBaseUrlLooksLikeAppUrl();
   console.log("[Jira] Integration initialized");
   return true;
 }
+/**
+ * Soft sanity check for `MCP_BASE_URL`. If it equals `APP_URL` (a common
+ * misconfig that points the webhook URL at the dashboard host), warn loudly
+ * so the operator can fix the env. We don't fail boot — Atlassian will just
+ * 404 webhook deliveries until corrected.
+ */
+function warnIfMcpBaseUrlLooksLikeAppUrl(): void {
+  const mcp = process.env.MCP_BASE_URL?.trim().replace(/\/+$/, "");
+  const app = process.env.APP_URL?.trim().replace(/\/+$/, "");
+  if (mcp && app && mcp === app) {
+    console.warn(
+      `[Jira] WARNING: MCP_BASE_URL (${mcp}) equals APP_URL — registered webhook URLs will hit the dashboard host, not the API. Atlassian will likely 404 webhook deliveries. Point MCP_BASE_URL at the API server.`,
+    );
+  }
+}

package/src/jira/metadata.ts CHANGED Viewed

@@ -102,3 +102,16 @@ export function updateJiraMetadata(partial: Partial<JiraOAuthAppMetadata>): void
   txn();
 }
+/**
+ * Reset the Jira `oauth_apps.metadata` blob to `{}`. Used by the disconnect
+ * flow to drop cloudId, siteUrl, and webhookIds in one shot. The row itself
+ * stays — `initJira()` requires the `oauth_apps` row to exist.
+ */
+export function clearJiraMetadata(): void {
+  getDb()
+    .query(
+      "UPDATE oauth_apps SET metadata = '{}', updatedAt = strftime('%Y-%m-%dT%H:%M:%fZ', 'now') WHERE provider = 'jira'",
+    )
+    .run();
+}

package/src/linear/app.ts CHANGED Viewed

@@ -43,6 +43,23 @@ export function initLinear(): boolean {
   initLinearOutboundSync();
+  warnIfMcpBaseUrlLooksLikeAppUrl();
   console.log("[Linear] Integration initialized");
   return true;
 }
+/**
+ * Soft sanity check for `MCP_BASE_URL`. If it equals `APP_URL` (a common
+ * misconfig that surfaces a wrong-looking webhook URL in the dashboard),
+ * warn loudly so the operator can fix the env.
+ */
+function warnIfMcpBaseUrlLooksLikeAppUrl(): void {
+  const mcp = process.env.MCP_BASE_URL?.trim().replace(/\/+$/, "");
+  const app = process.env.APP_URL?.trim().replace(/\/+$/, "");
+  if (mcp && app && mcp === app) {
+    console.warn(
+      `[Linear] WARNING: MCP_BASE_URL (${mcp}) equals APP_URL — surfaced webhook URL points at the dashboard host, not the API. Configure Linear with this URL only if the dashboard host also serves /api/*.`,
+    );
+  }
+}

package/src/linear/oauth.ts CHANGED Viewed

@@ -33,3 +33,27 @@ export async function handleLinearCallback(
   if (!config) throw new Error("Linear OAuth not configured");
   return exchangeCode(config, code, state);
 }
+/**
+ * Revoke an OAuth access token with Linear. Best-effort — caller should not
+ * abort the disconnect flow if this fails. Linear's revocation endpoint is
+ * `POST https://api.linear.app/oauth/revoke` with the access token in the
+ * Authorization header (per https://developers.linear.app/docs/oauth/authentication).
+ *
+ * Returns true on a 2xx response, false otherwise.
+ */
+export async function revokeLinearToken(accessToken: string): Promise<boolean> {
+  try {
+    const res = await fetch("https://api.linear.app/oauth/revoke", {
+      method: "POST",
+      headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    return res.ok;
+  } catch (err) {
+    console.warn(
+      "[Linear] Token revocation failed (best-effort):",
+      err instanceof Error ? err.message : err,
+    );
+    return false;
+  }
+}