@desplega.ai/agent-swarm 1.71.0 → 1.71.2

package/openapi.json

@@ -2,7 +2,7 @@
   "openapi": "3.1.0",
   "info": {
     "title": "Agent Swarm API",
-    "version": "1.71.0",
+    "version": "1.71.2",
     "description": "Multi-agent orchestration API for Claude Code, Codex, and Gemini CLI. Enables task distribution, agent communication, and service discovery.\n\nMCP tools are documented separately in [MCP.md](./MCP.md)."
   },
   "servers": [
@@ -6392,6 +6392,27 @@
         }
       }
     },
+    "/api/trackers/jira/disconnect": {
+      "delete": {
+        "summary": "Fully disconnect Jira: delete all webhooks, drop tokens, clear metadata",
+        "tags": [
+          "Trackers"
+        ],
+        "security": [
+          {
+            "bearerAuth": []
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Disconnected"
+          },
+          "503": {
+            "description": "Jira not configured"
+          }
+        }
+      }
+    },
     "/api/trackers/linear/authorize": {
       "get": {
         "summary": "Redirect to Linear OAuth consent screen",
@@ -6488,6 +6509,27 @@
         }
       }
     },
+    "/api/trackers/linear/disconnect": {
+      "delete": {
+        "summary": "Fully disconnect Linear: revoke OAuth grant + drop tokens",
+        "tags": [
+          "Trackers"
+        ],
+        "security": [
+          {
+            "bearerAuth": []
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Disconnected"
+          },
+          "503": {
+            "description": "Linear not configured"
+          }
+        }
+      }
+    },
     "/api/github/webhook": {
       "post": {
         "summary": "Handle GitHub webhook events",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@desplega.ai/agent-swarm",
-  "version": "1.71.0",
+  "version": "1.71.2",
   "description": "Multi-agent orchestration for Claude Code, Codex, Gemini CLI, and other AI coding assistants",
   "license": "MIT",
   "author": "desplega.sh <contact@desplega.sh>",

package/src/http/trackers/jira.ts

@@ -1,13 +1,13 @@
 import type { IncomingMessage, ServerResponse } from "node:http";
 import { z } from "zod";
-import { getOAuthTokens } from "../../be/db-queries/oauth";
+import { deleteOAuthTokens, getOAuthTokens } from "../../be/db-queries/oauth";
 import { isJiraEnabled } from "../../jira/app";
-import { getJiraMetadata } from "../../jira/metadata";
+import { clearJiraMetadata, getJiraMetadata } from "../../jira/metadata";
 import { getJiraAuthorizationUrl, handleJiraCallback } from "../../jira/oauth";
 import { handleJiraWebhook } from "../../jira/webhook";
 import { deleteJiraWebhook, registerJiraWebhook } from "../../jira/webhook-lifecycle";
 import { route } from "../route-def";
-import { parseQueryParams } from "../utils";
+import { deriveApiBaseUrl, parseQueryParams } from "../utils";
 
 const MANUAL_WEBHOOK_INSTRUCTIONS =
   "See docs-site/.../guides/jira-integration.mdx for manual webhook registration steps.";
@@ -112,15 +112,31 @@ const jiraWebhookDelete = route({
   },
 });
 
+// Admin: full disconnect — delete all registered Atlassian webhooks, drop
+// stored OAuth tokens, and clear cloudId/siteUrl/webhookIds metadata. Atlassian
+// 3LO has no public token revocation endpoint, so the OAuth grant itself must
+// be revoked by the user via id.atlassian.com → Connected apps.
+const jiraDisconnect = route({
+  method: "delete",
+  path: "/api/trackers/jira/disconnect",
+  pattern: ["api", "trackers", "jira", "disconnect"],
+  summary: "Fully disconnect Jira: delete all webhooks, drop tokens, clear metadata",
+  tags: ["Trackers"],
+  responses: {
+    200: { description: "Disconnected" },
+    503: { description: "Jira not configured" },
+  },
+});
+
 // ─── Helpers ─────────────────────────────────────────────────────────────────
 
-function getWebhookBaseUrl(): string {
-  return process.env.MCP_BASE_URL || `http://localhost:${process.env.PORT || "3013"}`;
+function getWebhookUrl(req: IncomingMessage): string {
+  const token = process.env.JIRA_WEBHOOK_TOKEN ?? "<unset>";
+  return `${deriveApiBaseUrl(req)}/api/trackers/jira/webhook/${token}`;
 }
 
-function getWebhookUrl(): string {
-  const token = process.env.JIRA_WEBHOOK_TOKEN ?? "<unset>";
-  return `${getWebhookBaseUrl()}/api/trackers/jira/webhook/${token}`;
+function getRedirectUri(req: IncomingMessage): string {
+  return `${deriveApiBaseUrl(req)}/api/trackers/jira/callback`;
 }
 
 // ─── Handler ─────────────────────────────────────────────────────────────────
@@ -218,7 +234,8 @@ export async function handleJiraTracker(
       scope,
       hasManageWebhookScope,
       webhookTokenConfigured: Boolean(process.env.JIRA_WEBHOOK_TOKEN),
-      webhookUrl: getWebhookUrl(),
+      webhookUrl: getWebhookUrl(req),
+      redirectUri: getRedirectUri(req),
       webhookIds: meta.webhookIds ?? [],
     };
 
@@ -327,5 +344,52 @@ export async function handleJiraTracker(
     return true;
   }
 
+  // DELETE /api/trackers/jira/disconnect — full cleanup.
+  if (jiraDisconnect.match(req.method, pathSegments)) {
+    if (!isJiraEnabled()) {
+      res.writeHead(503, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Jira integration not configured" }));
+      return true;
+    }
+
+    const meta = getJiraMetadata();
+    const ids = (meta.webhookIds ?? []).map((entry) => entry.id);
+
+    let webhooksDeleted = 0;
+    const webhookFailures: Array<{ id: number; error: string }> = [];
+    for (const id of ids) {
+      try {
+        await deleteJiraWebhook(id);
+        webhooksDeleted++;
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        console.warn(`[Jira] Disconnect: webhook delete failed (id=${id}): ${message}`);
+        webhookFailures.push({ id, error: message });
+      }
+    }
+
+    deleteOAuthTokens("jira");
+    clearJiraMetadata();
+
+    console.log(
+      `[Jira] Disconnected: ${webhooksDeleted}/${ids.length} webhooks deleted, tokens cleared, metadata reset`,
+    );
+
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(
+      JSON.stringify({
+        disconnected: true,
+        webhooksDeleted,
+        webhooksTotal: ids.length,
+        webhookFailures,
+        // Atlassian 3LO has no token revocation endpoint — surface this so
+        // the UI can prompt the user to revoke the grant manually if desired.
+        revokeNote:
+          "Atlassian OAuth grants must be revoked manually at https://id.atlassian.com/manage/connected-apps if you want to fully sever the consent.",
+      }),
+    );
+    return true;
+  }
+
   return false;
 }

package/src/http/trackers/linear.ts

@@ -1,11 +1,15 @@
 import type { IncomingMessage, ServerResponse } from "node:http";
 import { z } from "zod";
-import { getOAuthTokens } from "../../be/db-queries/oauth";
+import { deleteOAuthTokens, getOAuthTokens } from "../../be/db-queries/oauth";
 import { isLinearEnabled } from "../../linear/app";
-import { getLinearAuthorizationUrl, handleLinearCallback } from "../../linear/oauth";
+import {
+  getLinearAuthorizationUrl,
+  handleLinearCallback,
+  revokeLinearToken,
+} from "../../linear/oauth";
 import { handleLinearWebhook } from "../../linear/webhook";
 import { route } from "../route-def";
-import { parseQueryParams } from "../utils";
+import { deriveApiBaseUrl, parseQueryParams } from "../utils";
 
 // ─── Route Definitions ───────────────────────────────────────────────────────
 
@@ -67,6 +71,21 @@ const linearWebhook = route({
   },
 });
 
+// Admin: full disconnect — best-effort revoke the OAuth grant with Linear,
+// then drop stored tokens. Linear webhooks are configured globally on the
+// OAuth app (not per-tenant), so no per-tenant webhook delete is needed.
+const linearDisconnect = route({
+  method: "delete",
+  path: "/api/trackers/linear/disconnect",
+  pattern: ["api", "trackers", "linear", "disconnect"],
+  summary: "Fully disconnect Linear: revoke OAuth grant + drop tokens",
+  tags: ["Trackers"],
+  responses: {
+    200: { description: "Disconnected" },
+    503: { description: "Linear not configured" },
+  },
+});
+
 // ─── Handler ─────────────────────────────────────────────────────────────────
 
 export async function handleLinearTracker(
@@ -146,7 +165,7 @@ export async function handleLinearTracker(
     }
 
     const tokens = getOAuthTokens("linear");
-    const baseUrl = process.env.MCP_BASE_URL || `http://localhost:${process.env.PORT || "3013"}`;
+    const baseUrl = deriveApiBaseUrl(req);
 
     const status = {
       provider: "linear",
@@ -154,6 +173,7 @@ export async function handleLinearTracker(
       tokenExpiry: tokens?.expiresAt ?? null,
       scope: tokens?.scope ?? null,
       webhookUrl: `${baseUrl}/api/trackers/linear/webhook`,
+      redirectUri: `${baseUrl}/api/trackers/linear/callback`,
     };
 
     res.writeHead(200, { "Content-Type": "application/json" });
@@ -183,5 +203,28 @@ export async function handleLinearTracker(
     return true;
   }
 
+  // DELETE /api/trackers/linear/disconnect — full cleanup.
+  if (linearDisconnect.match(req.method, pathSegments)) {
+    if (!isLinearEnabled()) {
+      res.writeHead(503, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Linear integration not configured" }));
+      return true;
+    }
+
+    const tokens = getOAuthTokens("linear");
+    let revoked = false;
+    if (tokens?.accessToken) {
+      revoked = await revokeLinearToken(tokens.accessToken);
+    }
+
+    deleteOAuthTokens("linear");
+
+    console.log(`[Linear] Disconnected: revoke=${revoked}, tokens cleared`);
+
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ disconnected: true, revoked }));
+    return true;
+  }
+
   return false;
 }

package/src/http/utils.ts

@@ -57,6 +57,33 @@ export function jsonError(res: ServerResponse, error: string, status = 400) {
   res.end(JSON.stringify({ error }));
 }
 
+/**
+ * Derive the API base URL for outbound-facing values (webhook URLs, OAuth
+ * redirect URIs). Returns a URL with no trailing slash.
+ *
+ * Resolution order:
+ *   1. `MCP_BASE_URL` env (canonical)
+ *   2. Inbound request host — `X-Forwarded-Proto`/`X-Forwarded-Host` if behind
+ *      a proxy/tunnel (ngrok), else `Host` header. Lets the URL stay correct
+ *      when MCP_BASE_URL is unset and the API is reached via an arbitrary
+ *      external hostname.
+ *   3. `http://localhost:<PORT>` fallback
+ */
+export function deriveApiBaseUrl(req: IncomingMessage): string {
+  const envBase = process.env.MCP_BASE_URL?.trim();
+  if (envBase) return envBase.replace(/\/+$/, "");
+
+  const fwdProtoRaw = req.headers["x-forwarded-proto"];
+  const fwdHostRaw = req.headers["x-forwarded-host"];
+  const fwdProto = Array.isArray(fwdProtoRaw) ? fwdProtoRaw[0] : fwdProtoRaw;
+  const fwdHost = Array.isArray(fwdHostRaw) ? fwdHostRaw[0] : fwdHostRaw;
+  const proto = fwdProto?.split(",")[0]?.trim() || "http";
+  const host = fwdHost?.split(",")[0]?.trim() || req.headers.host;
+
+  if (host) return `${proto}://${host}`;
+  return `http://localhost:${process.env.PORT || "3013"}`;
+}
+
 /**
  * Match a route pattern against HTTP method and path segments.
  *

package/src/jira/app.ts

@@ -36,9 +36,15 @@ export function initJira(): boolean {
 
   const clientId = process.env.JIRA_CLIENT_ID!;
   const clientSecret = process.env.JIRA_CLIENT_SECRET ?? "";
-  const redirectUri =
-    process.env.JIRA_REDIRECT_URI ??
-    `http://localhost:${process.env.PORT || "3013"}/api/trackers/jira/callback`;
+  // Boot-time redirect URI gets persisted into oauth_apps.redirectUri and used
+  // verbatim by the OAuth flow — so it must match what's registered with
+  // Atlassian. Prefer MCP_BASE_URL over the localhost dev default; in prod
+  // with no JIRA_REDIRECT_URI set, this is what stops Atlassian from sending
+  // the user back to localhost.
+  const apiBaseUrl =
+    process.env.MCP_BASE_URL?.trim().replace(/\/+$/, "") ||
+    `http://localhost:${process.env.PORT || "3013"}`;
+  const redirectUri = process.env.JIRA_REDIRECT_URI ?? `${apiBaseUrl}/api/trackers/jira/callback`;
 
   upsertOAuthApp("jira", {
     clientId,
@@ -60,6 +66,24 @@ export function initJira(): boolean {
   initJiraOutboundSync();
   startJiraWebhookKeepalive();
 
+  warnIfMcpBaseUrlLooksLikeAppUrl();
+
   console.log("[Jira] Integration initialized");
   return true;
 }
+
+/**
+ * Soft sanity check for `MCP_BASE_URL`. If it equals `APP_URL` (a common
+ * misconfig that points the webhook URL at the dashboard host), warn loudly
+ * so the operator can fix the env. We don't fail boot — Atlassian will just
+ * 404 webhook deliveries until corrected.
+ */
+function warnIfMcpBaseUrlLooksLikeAppUrl(): void {
+  const mcp = process.env.MCP_BASE_URL?.trim().replace(/\/+$/, "");
+  const app = process.env.APP_URL?.trim().replace(/\/+$/, "");
+  if (mcp && app && mcp === app) {
+    console.warn(
+      `[Jira] WARNING: MCP_BASE_URL (${mcp}) equals APP_URL — registered webhook URLs will hit the dashboard host, not the API. Atlassian will likely 404 webhook deliveries. Point MCP_BASE_URL at the API server.`,
+    );
+  }
+}

package/src/jira/metadata.ts

@@ -102,3 +102,16 @@ export function updateJiraMetadata(partial: Partial<JiraOAuthAppMetadata>): void
 
   txn();
 }
+
+/**
+ * Reset the Jira `oauth_apps.metadata` blob to `{}`. Used by the disconnect
+ * flow to drop cloudId, siteUrl, and webhookIds in one shot. The row itself
+ * stays — `initJira()` requires the `oauth_apps` row to exist.
+ */
+export function clearJiraMetadata(): void {
+  getDb()
+    .query(
+      "UPDATE oauth_apps SET metadata = '{}', updatedAt = strftime('%Y-%m-%dT%H:%M:%fZ', 'now') WHERE provider = 'jira'",
+    )
+    .run();
+}

package/src/linear/app.ts

@@ -27,9 +27,15 @@ export function initLinear(): boolean {
 
   const clientId = process.env.LINEAR_CLIENT_ID!;
   const clientSecret = process.env.LINEAR_CLIENT_SECRET ?? "";
+  // Boot-time redirect URI gets persisted into oauth_apps.redirectUri and used
+  // verbatim by the OAuth flow. Prefer MCP_BASE_URL over the localhost default
+  // so prod doesn't send users back to localhost when LINEAR_REDIRECT_URI is
+  // unset.
+  const apiBaseUrl =
+    process.env.MCP_BASE_URL?.trim().replace(/\/+$/, "") ||
+    `http://localhost:${process.env.PORT || "3013"}`;
   const redirectUri =
-    process.env.LINEAR_REDIRECT_URI ??
-    `http://localhost:${process.env.PORT || "3013"}/api/trackers/linear/callback`;
+    process.env.LINEAR_REDIRECT_URI ?? `${apiBaseUrl}/api/trackers/linear/callback`;
 
   upsertOAuthApp("linear", {
     clientId,
@@ -43,6 +49,23 @@ export function initLinear(): boolean {
 
   initLinearOutboundSync();
 
+  warnIfMcpBaseUrlLooksLikeAppUrl();
+
   console.log("[Linear] Integration initialized");
   return true;
 }
+
+/**
+ * Soft sanity check for `MCP_BASE_URL`. If it equals `APP_URL` (a common
+ * misconfig that surfaces a wrong-looking webhook URL in the dashboard),
+ * warn loudly so the operator can fix the env.
+ */
+function warnIfMcpBaseUrlLooksLikeAppUrl(): void {
+  const mcp = process.env.MCP_BASE_URL?.trim().replace(/\/+$/, "");
+  const app = process.env.APP_URL?.trim().replace(/\/+$/, "");
+  if (mcp && app && mcp === app) {
+    console.warn(
+      `[Linear] WARNING: MCP_BASE_URL (${mcp}) equals APP_URL — surfaced webhook URL points at the dashboard host, not the API. Configure Linear with this URL only if the dashboard host also serves /api/*.`,
+    );
+  }
+}

package/src/linear/oauth.ts

@@ -33,3 +33,27 @@ export async function handleLinearCallback(
   if (!config) throw new Error("Linear OAuth not configured");
   return exchangeCode(config, code, state);
 }
+
+/**
+ * Revoke an OAuth access token with Linear. Best-effort — caller should not
+ * abort the disconnect flow if this fails. Linear's revocation endpoint is
+ * `POST https://api.linear.app/oauth/revoke` with the access token in the
+ * Authorization header (per https://developers.linear.app/docs/oauth/authentication).
+ *
+ * Returns true on a 2xx response, false otherwise.
+ */
+export async function revokeLinearToken(accessToken: string): Promise<boolean> {
+  try {
+    const res = await fetch("https://api.linear.app/oauth/revoke", {
+      method: "POST",
+      headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    return res.ok;
+  } catch (err) {
+    console.warn(
+      "[Linear] Token revocation failed (best-effort):",
+      err instanceof Error ? err.message : err,
+    );
+    return false;
+  }
+}