@supaku/agentfactory-server 0.1.2 → 0.3.0

package/dist/src/rate-limit.js

@@ -0,0 +1,171 @@
+/**
+ * Rate Limiter with LRU Cache
+ *
+ * In-memory rate limiting using sliding window algorithm.
+ * Uses LRU cache to prevent memory bloat from tracking many IPs.
+ */
+import { createLogger } from './logger';
+const log = createLogger('rate-limit');
+/**
+ * Default rate limit configurations by endpoint type
+ */
+export const RATE_LIMITS = {
+    /** Public API endpoints - 60 requests per minute */
+    public: { limit: 60, windowMs: 60 * 1000 },
+    /** Webhook endpoint - 10 requests per second per IP */
+    webhook: { limit: 10, windowMs: 1000 },
+    /** Dashboard - 30 requests per minute */
+    dashboard: { limit: 30, windowMs: 60 * 1000 },
+};
+/**
+ * LRU Rate Limiter
+ *
+ * Tracks request counts per key (typically IP address) using
+ * sliding window algorithm. Old entries are evicted using LRU policy.
+ */
+export class RateLimiter {
+    cache = new Map();
+    maxEntries;
+    config;
+    constructor(config, maxEntries = 10000) {
+        this.config = config;
+        this.maxEntries = maxEntries;
+    }
+    /**
+     * Check if a request should be allowed
+     *
+     * @param key - Unique identifier (usually IP address)
+     * @returns Rate limit result
+     */
+    check(key) {
+        const now = Date.now();
+        const windowStart = now - this.config.windowMs;
+        // Get or create entry
+        let entry = this.cache.get(key);
+        if (!entry) {
+            entry = { timestamps: [], lastAccess: now };
+        }
+        // Filter timestamps to only include those in the current window
+        entry.timestamps = entry.timestamps.filter((ts) => ts > windowStart);
+        entry.lastAccess = now;
+        // Calculate remaining requests
+        const requestCount = entry.timestamps.length;
+        const remaining = Math.max(0, this.config.limit - requestCount);
+        const allowed = requestCount < this.config.limit;
+        // Add this request if allowed
+        if (allowed) {
+            entry.timestamps.push(now);
+        }
+        // Update cache
+        this.cache.set(key, entry);
+        // Evict old entries if needed
+        this.evictIfNeeded();
+        // Calculate reset time
+        const oldestTimestamp = entry.timestamps[0];
+        const resetIn = oldestTimestamp
+            ? Math.max(0, oldestTimestamp + this.config.windowMs - now)
+            : 0;
+        return {
+            allowed,
+            remaining: allowed ? remaining - 1 : 0,
+            resetIn,
+            limit: this.config.limit,
+        };
+    }
+    /**
+     * Evict least recently used entries if cache is full
+     */
+    evictIfNeeded() {
+        if (this.cache.size <= this.maxEntries)
+            return;
+        // Find entries to evict (oldest lastAccess)
+        const entries = Array.from(this.cache.entries());
+        entries.sort((a, b) => a[1].lastAccess - b[1].lastAccess);
+        // Remove oldest 10% of entries
+        const toRemove = Math.ceil(this.maxEntries * 0.1);
+        for (let i = 0; i < toRemove && i < entries.length; i++) {
+            this.cache.delete(entries[i][0]);
+        }
+        log.debug('Evicted rate limit entries', { removed: toRemove });
+    }
+    /**
+     * Clear all entries (useful for testing)
+     */
+    clear() {
+        this.cache.clear();
+    }
+    /**
+     * Get current cache size
+     */
+    get size() {
+        return this.cache.size;
+    }
+}
+// Singleton rate limiters for different endpoint types
+const limiters = new Map();
+/**
+ * Get or create a rate limiter for an endpoint type
+ *
+ * @param type - Endpoint type ('public', 'webhook', 'dashboard')
+ * @returns Rate limiter instance
+ */
+export function getRateLimiter(type) {
+    let limiter = limiters.get(type);
+    if (!limiter) {
+        limiter = new RateLimiter(RATE_LIMITS[type]);
+        limiters.set(type, limiter);
+    }
+    return limiter;
+}
+/**
+ * Check rate limit for a request
+ *
+ * @param type - Endpoint type
+ * @param key - Unique identifier (usually IP)
+ * @returns Rate limit result
+ */
+export function checkRateLimit(type, key) {
+    const limiter = getRateLimiter(type);
+    return limiter.check(key);
+}
+/**
+ * Extract client IP from request headers
+ *
+ * Handles various proxy scenarios (Vercel, Cloudflare, etc.)
+ *
+ * @param headers - Request headers
+ * @returns Client IP address
+ */
+export function getClientIP(headers) {
+    // Vercel/Cloudflare proxy headers
+    const forwardedFor = headers.get('x-forwarded-for');
+    if (forwardedFor) {
+        // Take first IP (client IP before proxies)
+        return forwardedFor.split(',')[0].trim();
+    }
+    // Cloudflare specific
+    const cfConnectingIP = headers.get('cf-connecting-ip');
+    if (cfConnectingIP) {
+        return cfConnectingIP;
+    }
+    // Vercel specific
+    const realIP = headers.get('x-real-ip');
+    if (realIP) {
+        return realIP;
+    }
+    // Fallback
+    return 'unknown';
+}
+/**
+ * Build rate limit headers for response
+ *
+ * @param result - Rate limit result
+ * @returns Headers object
+ */
+export function buildRateLimitHeaders(result) {
+    return {
+        'X-RateLimit-Limit': result.limit.toString(),
+        'X-RateLimit-Remaining': result.remaining.toString(),
+        'X-RateLimit-Reset': Math.ceil(result.resetIn / 1000).toString(),
+    };
+}

package/dist/src/session-hash.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Session Hash Utility
+ *
+ * Creates opaque, non-reversible session IDs for public API.
+ * Internal session IDs (Linear UUIDs) are hashed to prevent enumeration
+ * and hide internal structure from public viewers.
+ */
+/**
+ * Create a public hash from a session ID
+ *
+ * Uses HMAC-SHA256 with a secret salt to create a consistent
+ * but non-reversible public identifier.
+ *
+ * @param sessionId - Internal Linear session ID
+ * @param saltEnvVar - Environment variable name for the salt (default: SESSION_HASH_SALT)
+ * @returns Hashed public ID (16 character hex string)
+ */
+export declare function hashSessionId(sessionId: string, saltEnvVar?: string): string;
+/**
+ * Create a lookup map from session IDs to their hashes
+ *
+ * Useful for resolving hashed IDs back to sessions when
+ * you have the full list of sessions.
+ *
+ * @param sessionIds - Array of internal session IDs
+ * @returns Map of hash -> sessionId
+ */
+export declare function createHashLookup(sessionIds: string[]): Map<string, string>;
+/**
+ * Find session ID by its public hash
+ *
+ * Since hashing is one-way, we need to hash all session IDs
+ * and compare. This is O(n) but acceptable for the expected
+ * number of sessions (typically < 100).
+ *
+ * @param publicId - Hashed public ID
+ * @param sessionIds - Array of internal session IDs to search
+ * @returns Matching session ID or null
+ */
+export declare function findSessionByHash(publicId: string, sessionIds: string[]): string | null;
+/**
+ * Validate a public session ID format
+ *
+ * @param publicId - Potential public session ID
+ * @returns Whether the format is valid
+ */
+export declare function isValidPublicId(publicId: string): boolean;
+//# sourceMappingURL=session-hash.d.ts.map

package/dist/src/session-hash.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-hash.d.ts","sourceRoot":"","sources":["../../src/session-hash.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH;;;;;;;;;GASG;AACH,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,CAiB5E;AAED;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAM1E;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAAE,GACnB,MAAM,GAAG,IAAI,CAOf;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAGzD"}

package/dist/src/session-hash.js

@@ -0,0 +1,80 @@
+/**
+ * Session Hash Utility
+ *
+ * Creates opaque, non-reversible session IDs for public API.
+ * Internal session IDs (Linear UUIDs) are hashed to prevent enumeration
+ * and hide internal structure from public viewers.
+ */
+import crypto from 'crypto';
+import { getSessionHashSalt, isSessionHashConfigured } from './env-validation';
+/**
+ * Create a public hash from a session ID
+ *
+ * Uses HMAC-SHA256 with a secret salt to create a consistent
+ * but non-reversible public identifier.
+ *
+ * @param sessionId - Internal Linear session ID
+ * @param saltEnvVar - Environment variable name for the salt (default: SESSION_HASH_SALT)
+ * @returns Hashed public ID (16 character hex string)
+ */
+export function hashSessionId(sessionId, saltEnvVar) {
+    if (!isSessionHashConfigured()) {
+        // In development without salt, use truncated hash
+        // This is less secure but allows development without full config
+        return crypto
+            .createHash('sha256')
+            .update(sessionId)
+            .digest('hex')
+            .slice(0, 16);
+    }
+    const salt = getSessionHashSalt(saltEnvVar);
+    const hmac = crypto.createHmac('sha256', salt);
+    hmac.update(sessionId);
+    // Return first 16 characters for a reasonably short but unique ID
+    return hmac.digest('hex').slice(0, 16);
+}
+/**
+ * Create a lookup map from session IDs to their hashes
+ *
+ * Useful for resolving hashed IDs back to sessions when
+ * you have the full list of sessions.
+ *
+ * @param sessionIds - Array of internal session IDs
+ * @returns Map of hash -> sessionId
+ */
+export function createHashLookup(sessionIds) {
+    const lookup = new Map();
+    for (const id of sessionIds) {
+        lookup.set(hashSessionId(id), id);
+    }
+    return lookup;
+}
+/**
+ * Find session ID by its public hash
+ *
+ * Since hashing is one-way, we need to hash all session IDs
+ * and compare. This is O(n) but acceptable for the expected
+ * number of sessions (typically < 100).
+ *
+ * @param publicId - Hashed public ID
+ * @param sessionIds - Array of internal session IDs to search
+ * @returns Matching session ID or null
+ */
+export function findSessionByHash(publicId, sessionIds) {
+    for (const id of sessionIds) {
+        if (hashSessionId(id) === publicId) {
+            return id;
+        }
+    }
+    return null;
+}
+/**
+ * Validate a public session ID format
+ *
+ * @param publicId - Potential public session ID
+ * @returns Whether the format is valid
+ */
+export function isValidPublicId(publicId) {
+    // Should be 16 character hex string
+    return /^[a-f0-9]{16}$/.test(publicId);
+}

package/dist/src/token-storage.d.ts

@@ -0,0 +1,118 @@
+/**
+ * OAuth Token Storage Module
+ *
+ * Manages Linear OAuth token lifecycle in Redis:
+ * - Store, retrieve, refresh, and revoke tokens
+ * - Automatic token refresh before expiration
+ * - Multi-workspace token support
+ */
+/**
+ * OAuth token data stored in Redis
+ */
+export interface StoredToken {
+    /** The OAuth access token for API calls */
+    accessToken: string;
+    /** The refresh token for obtaining new access tokens */
+    refreshToken?: string;
+    /** Token type (usually "Bearer") */
+    tokenType: string;
+    /** OAuth scopes granted */
+    scope?: string;
+    /** Unix timestamp when the token expires */
+    expiresAt?: number;
+    /** Unix timestamp when the token was stored */
+    storedAt: number;
+    /** Workspace/organization ID this token belongs to */
+    workspaceId: string;
+    /** Workspace name for display purposes */
+    workspaceName?: string;
+}
+/**
+ * Response from Linear OAuth token exchange
+ */
+export interface LinearTokenResponse {
+    access_token: string;
+    refresh_token?: string;
+    token_type: string;
+    expires_in?: number;
+    scope?: string;
+}
+/**
+ * Organization info from Linear API
+ */
+export interface LinearOrganization {
+    id: string;
+    name: string;
+    urlKey: string;
+}
+/**
+ * Store OAuth token for a workspace in Redis
+ *
+ * @param workspaceId - The Linear organization ID
+ * @param tokenResponse - The token data from OAuth exchange
+ * @param workspaceName - Optional workspace name for display
+ */
+export declare function storeToken(workspaceId: string, tokenResponse: LinearTokenResponse, workspaceName?: string): Promise<StoredToken>;
+/**
+ * Retrieve OAuth token for a workspace from Redis
+ *
+ * @param workspaceId - The Linear organization ID
+ * @returns The stored token or null if not found
+ */
+export declare function getToken(workspaceId: string): Promise<StoredToken | null>;
+/**
+ * Check if a token needs to be refreshed
+ * Returns true if token expires within the buffer period
+ *
+ * @param token - The stored token to check
+ * @returns Whether the token should be refreshed
+ */
+export declare function shouldRefreshToken(token: StoredToken): boolean;
+/**
+ * Refresh an OAuth token using the refresh token
+ *
+ * @param token - The current stored token with refresh token
+ * @param clientId - The Linear OAuth client ID
+ * @param clientSecret - The Linear OAuth client secret
+ * @returns The new stored token or null if refresh failed
+ */
+export declare function refreshToken(token: StoredToken, clientId: string, clientSecret: string): Promise<StoredToken | null>;
+/**
+ * Get a valid access token for a workspace, refreshing if necessary
+ *
+ * @param workspaceId - The Linear organization ID
+ * @param clientId - Optional OAuth client ID for refresh (defaults to env var)
+ * @param clientSecret - Optional OAuth client secret for refresh (defaults to env var)
+ * @returns The access token or null if not available
+ */
+export declare function getAccessToken(workspaceId: string, clientId?: string, clientSecret?: string): Promise<string | null>;
+/**
+ * Delete a token from Redis (for cleanup or revocation)
+ *
+ * @param workspaceId - The Linear organization ID
+ * @returns Whether the deletion was successful
+ */
+export declare function deleteToken(workspaceId: string): Promise<boolean>;
+/**
+ * List all stored workspace tokens (for admin purposes)
+ * Note: This scans all keys with the token prefix
+ *
+ * @returns Array of workspace IDs with stored tokens
+ */
+export declare function listStoredWorkspaces(): Promise<string[]>;
+/**
+ * Clean up expired tokens from Redis storage
+ * Should be called periodically (e.g., via cron job)
+ *
+ * @returns Number of tokens cleaned up
+ */
+export declare function cleanupExpiredTokens(): Promise<number>;
+/**
+ * Fetch the current user's organization from Linear API
+ * Used after OAuth to determine which workspace the token belongs to
+ *
+ * @param accessToken - The OAuth access token
+ * @returns Organization info or null if fetch failed
+ */
+export declare function fetchOrganization(accessToken: string): Promise<LinearOrganization | null>;
+//# sourceMappingURL=token-storage.d.ts.map

package/dist/src/token-storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-storage.d.ts","sourceRoot":"","sources":["../../src/token-storage.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAOH;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,2CAA2C;IAC3C,WAAW,EAAE,MAAM,CAAA;IACnB,wDAAwD;IACxD,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,oCAAoC;IACpC,SAAS,EAAE,MAAM,CAAA;IACjB,2BAA2B;IAC3B,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,4CAA4C;IAC5C,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAA;IAChB,sDAAsD;IACtD,WAAW,EAAE,MAAM,CAAA;IACnB,0CAA0C;IAC1C,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,YAAY,EAAE,MAAM,CAAA;IACpB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,UAAU,EAAE,MAAM,CAAA;IAClB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,MAAM,CAAA;CACf;AAoBD;;;;;;GAMG;AACH,wBAAsB,UAAU,CAC9B,WAAW,EAAE,MAAM,EACnB,aAAa,EAAE,mBAAmB,EAClC,aAAa,CAAC,EAAE,MAAM,GACrB,OAAO,CAAC,WAAW,CAAC,CAsBtB;AAED;;;;;GAKG;AACH,wBAAsB,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAU/E;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAU9D;AAED;;;;;;;GAOG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,WAAW,EAClB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAgD7B;AAED;;;;;;;GAOG;AACH,wBAAsB,cAAc,CAClC,WAAW,EAAE,MAAM,EACnB,QAAQ,CAAC,EAAE,MAAM,EACjB,YAAY,CAAC,EAAE,MAAM,GACpB,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CA8BxB;AAED;;;;;GAKG;AACH,wBAAsB,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAYvE;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAQ9D;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,IAAI,OAAO,CAAC,MAAM,CAAC,CAsB5D;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CA6CpC"}

package/dist/src/token-storage.js

@@ -0,0 +1,263 @@
+/**
+ * OAuth Token Storage Module
+ *
+ * Manages Linear OAuth token lifecycle in Redis:
+ * - Store, retrieve, refresh, and revoke tokens
+ * - Automatic token refresh before expiration
+ * - Multi-workspace token support
+ */
+import { createLogger } from './logger';
+import { isRedisConfigured, redisSet, redisGet, redisDel, redisKeys } from './redis';
+const log = createLogger('token-storage');
+/**
+ * Key prefix for workspace tokens in KV
+ */
+const TOKEN_KEY_PREFIX = 'oauth:workspace:';
+/**
+ * Buffer time (in seconds) before expiration to trigger refresh
+ * Refresh tokens 5 minutes before they expire
+ */
+const REFRESH_BUFFER_SECONDS = 5 * 60;
+/**
+ * Build the KV key for a workspace token
+ */
+function buildTokenKey(workspaceId) {
+    return `${TOKEN_KEY_PREFIX}${workspaceId}`;
+}
+/**
+ * Store OAuth token for a workspace in Redis
+ *
+ * @param workspaceId - The Linear organization ID
+ * @param tokenResponse - The token data from OAuth exchange
+ * @param workspaceName - Optional workspace name for display
+ */
+export async function storeToken(workspaceId, tokenResponse, workspaceName) {
+    const now = Math.floor(Date.now() / 1000);
+    const storedToken = {
+        accessToken: tokenResponse.access_token,
+        refreshToken: tokenResponse.refresh_token,
+        tokenType: tokenResponse.token_type,
+        scope: tokenResponse.scope,
+        expiresAt: tokenResponse.expires_in
+            ? now + tokenResponse.expires_in
+            : undefined,
+        storedAt: now,
+        workspaceId,
+        workspaceName,
+    };
+    const key = buildTokenKey(workspaceId);
+    await redisSet(key, storedToken);
+    log.info('Stored OAuth token', { workspaceId, workspaceName });
+    return storedToken;
+}
+/**
+ * Retrieve OAuth token for a workspace from Redis
+ *
+ * @param workspaceId - The Linear organization ID
+ * @returns The stored token or null if not found
+ */
+export async function getToken(workspaceId) {
+    if (!isRedisConfigured()) {
+        log.warn('Redis not configured, cannot retrieve token');
+        return null;
+    }
+    const key = buildTokenKey(workspaceId);
+    const token = await redisGet(key);
+    return token;
+}
+/**
+ * Check if a token needs to be refreshed
+ * Returns true if token expires within the buffer period
+ *
+ * @param token - The stored token to check
+ * @returns Whether the token should be refreshed
+ */
+export function shouldRefreshToken(token) {
+    // No expiration means token doesn't expire (Linear API tokens typically don't)
+    if (!token.expiresAt) {
+        return false;
+    }
+    const now = Math.floor(Date.now() / 1000);
+    const timeUntilExpiry = token.expiresAt - now;
+    return timeUntilExpiry <= REFRESH_BUFFER_SECONDS;
+}
+/**
+ * Refresh an OAuth token using the refresh token
+ *
+ * @param token - The current stored token with refresh token
+ * @param clientId - The Linear OAuth client ID
+ * @param clientSecret - The Linear OAuth client secret
+ * @returns The new stored token or null if refresh failed
+ */
+export async function refreshToken(token, clientId, clientSecret) {
+    const workspaceId = token.workspaceId;
+    if (!token.refreshToken) {
+        log.warn('No refresh token available', { workspaceId });
+        return null;
+    }
+    try {
+        const response = await fetch('https://api.linear.app/oauth/token', {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+            },
+            body: new URLSearchParams({
+                grant_type: 'refresh_token',
+                client_id: clientId,
+                client_secret: clientSecret,
+                refresh_token: token.refreshToken,
+            }),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            log.error('Token refresh failed', {
+                workspaceId,
+                statusCode: response.status,
+                errorDetails: errorText,
+            });
+            return null;
+        }
+        const tokenResponse = (await response.json());
+        // Store the new token
+        const newToken = await storeToken(token.workspaceId, tokenResponse, token.workspaceName);
+        log.info('Refreshed OAuth token', { workspaceId });
+        return newToken;
+    }
+    catch (err) {
+        log.error('Token refresh error', { workspaceId, error: err });
+        return null;
+    }
+}
+/**
+ * Get a valid access token for a workspace, refreshing if necessary
+ *
+ * @param workspaceId - The Linear organization ID
+ * @param clientId - Optional OAuth client ID for refresh (defaults to env var)
+ * @param clientSecret - Optional OAuth client secret for refresh (defaults to env var)
+ * @returns The access token or null if not available
+ */
+export async function getAccessToken(workspaceId, clientId, clientSecret) {
+    const token = await getToken(workspaceId);
+    if (!token) {
+        return null;
+    }
+    // Check if token needs refresh
+    if (shouldRefreshToken(token)) {
+        const cid = clientId ?? process.env.LINEAR_CLIENT_ID;
+        const csecret = clientSecret ?? process.env.LINEAR_CLIENT_SECRET;
+        if (!cid || !csecret) {
+            log.warn('OAuth credentials not configured, cannot refresh token', { workspaceId });
+            // Return existing token even if it might be expiring soon
+            return token.accessToken;
+        }
+        const refreshedToken = await refreshToken(token, cid, csecret);
+        if (refreshedToken) {
+            return refreshedToken.accessToken;
+        }
+        // Refresh failed, return existing token
+        log.warn('Token refresh failed, using existing token', { workspaceId });
+        return token.accessToken;
+    }
+    return token.accessToken;
+}
+/**
+ * Delete a token from Redis (for cleanup or revocation)
+ *
+ * @param workspaceId - The Linear organization ID
+ * @returns Whether the deletion was successful
+ */
+export async function deleteToken(workspaceId) {
+    if (!isRedisConfigured()) {
+        log.warn('Redis not configured, cannot delete token');
+        return false;
+    }
+    const key = buildTokenKey(workspaceId);
+    const result = await redisDel(key);
+    log.info('Deleted OAuth token', { workspaceId });
+    return result > 0;
+}
+/**
+ * List all stored workspace tokens (for admin purposes)
+ * Note: This scans all keys with the token prefix
+ *
+ * @returns Array of workspace IDs with stored tokens
+ */
+export async function listStoredWorkspaces() {
+    if (!isRedisConfigured()) {
+        return [];
+    }
+    const keys = await redisKeys(`${TOKEN_KEY_PREFIX}*`);
+    return keys.map((key) => key.replace(TOKEN_KEY_PREFIX, ''));
+}
+/**
+ * Clean up expired tokens from Redis storage
+ * Should be called periodically (e.g., via cron job)
+ *
+ * @returns Number of tokens cleaned up
+ */
+export async function cleanupExpiredTokens() {
+    if (!isRedisConfigured()) {
+        return 0;
+    }
+    const workspaces = await listStoredWorkspaces();
+    const now = Math.floor(Date.now() / 1000);
+    let cleanedCount = 0;
+    for (const workspaceId of workspaces) {
+        const token = await getToken(workspaceId);
+        // Remove tokens that have expired (with some grace period)
+        // We add 1 hour grace period to avoid removing tokens that might still be usable
+        if (token?.expiresAt && token.expiresAt + 3600 < now) {
+            await deleteToken(workspaceId);
+            cleanedCount++;
+            log.info('Cleaned up expired token', { workspaceId });
+        }
+    }
+    return cleanedCount;
+}
+/**
+ * Fetch the current user's organization from Linear API
+ * Used after OAuth to determine which workspace the token belongs to
+ *
+ * @param accessToken - The OAuth access token
+ * @returns Organization info or null if fetch failed
+ */
+export async function fetchOrganization(accessToken) {
+    try {
+        const response = await fetch('https://api.linear.app/graphql', {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                Authorization: `Bearer ${accessToken}`,
+            },
+            body: JSON.stringify({
+                query: `
+          query {
+            organization {
+              id
+              name
+              urlKey
+            }
+          }
+        `,
+            }),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            log.error('Failed to fetch organization', {
+                statusCode: response.status,
+                errorDetails: errorText,
+            });
+            return null;
+        }
+        const data = (await response.json());
+        if (data.errors) {
+            log.error('GraphQL errors fetching organization', { errors: data.errors });
+            return null;
+        }
+        return data.data?.organization ?? null;
+    }
+    catch (err) {
+        log.error('Error fetching organization', { error: err });
+        return null;
+    }
+}