aiden-runtime 3.19.5 → 3.19.7

package/workspace-templates/skills/greynoise/SKILL.md

@@ -0,0 +1,96 @@
+---
+name: greynoise
+description: Classify IP addresses as internet scanners (benign/malicious) or targeted attackers — filters noise from security alerts
+category: security
+version: 1.0.0
+license: Apache-2.0
+origin: aiden
+tags: security, greynoise, scanner, threat-intel, ip, osint, soc, incident-response, noise-filtering
+env_required:
+  - GREYNOISE_API_KEY
+---
+
+# GreyNoise — Internet Scanner Intelligence
+
+GreyNoise collects and analyses internet-wide scan traffic. It tells you whether an IP hitting your firewall is a known mass-scanner (benign research tool or malicious crawler) versus a targeted attacker — helping SOC teams filter out internet noise from real threats.
+
+**Community tier:** The `/v3/community/{ip}` endpoint works with limited volume even without a key. Set `GREYNOISE_API_KEY` for higher rate limits.
+
+## When to Use
+
+- An IP triggers a firewall rule and you want to know if it is just background internet noise
+- SOC triage: is this alert a known scanner or a targeted attack?
+- Filter false positives from SIEM before escalating an alert
+- User asks "is this IP a scanner?", "is this noisy traffic?", "is IP X benign?"
+
+## How to Use
+
+### Check if an IP is a known internet scanner
+
+```powershell
+$ip      = "71.6.135.131"
+$headers = @{}
+if ($env:GREYNOISE_API_KEY) { $headers['key'] = $env:GREYNOISE_API_KEY }
+
+$result = Invoke-RestMethod -Uri "https://api.greynoise.io/v3/community/$ip" -Headers $headers
+Write-Host "IP:             $($result.ip)"
+Write-Host "Noise:          $($result.noise)"        # true = mass-scanner
+Write-Host "RIOT:           $($result.riot)"         # true = trusted benign service
+Write-Host "Classification: $($result.classification)"  # benign | malicious | unknown
+Write-Host "Name:           $($result.name)"
+Write-Host "Last seen:      $($result.last_seen)"
+Write-Host "Link:           $($result.link)"
+Write-Host "Message:        $($result.message)"
+```
+
+### Triage a batch of IPs from a firewall log
+
+```powershell
+$ips = @("1.1.1.1", "8.8.8.8", "71.6.135.131", "45.83.66.42")
+$headers = @{}
+if ($env:GREYNOISE_API_KEY) { $headers['key'] = $env:GREYNOISE_API_KEY }
+
+foreach ($ip in $ips) {
+    try {
+        $r = Invoke-RestMethod -Uri "https://api.greynoise.io/v3/community/$ip" -Headers $headers
+        $tag = if ($r.riot) { '[RIOT-trusted]' } elseif ($r.noise) { '[SCANNER]' } else { '[TARGETED?]' }
+        Write-Host "$ip  $tag  $($r.classification)  $($r.name)"
+    } catch {
+        Write-Host "$ip  [ERROR]  $($_.Exception.Message)"
+    }
+    Start-Sleep -Milliseconds 200
+}
+```
+
+### Interpret the results
+
+```
+noise = true   → IP is a known mass-scanner (benign researchers, crawlers, etc.)
+riot  = true   → IP belongs to a trusted service (Cloudflare, Google, AWS, etc.)
+classification = "malicious"  → Known malicious scanner — block and investigate
+classification = "benign"     → Probably safe background noise — may deprioritise
+classification = "unknown"    → No data — treat with caution
+```
+
+## Examples
+
+**"Is 71.6.135.131 an attacker?"**
+→ Returns classification: malicious, noise: true — known malicious scanner.
+
+**"This IP keeps hitting our web server — is it just background noise?"**
+→ `noise: true` means it is scanning the whole internet, not targeting you specifically.
+
+**"Is 8.8.8.8 a threat?"**
+→ `riot: true` — belongs to Google DNS, trusted RIOT (Rule It Out) list.
+
+## Cautions
+
+- Community endpoint returns limited data — `GREYNOISE_API_KEY` unlocks full context
+- `noise: false` and `riot: false` does not mean the IP is malicious — GreyNoise may simply have no data for it
+- Data reflects GreyNoise's scanner observations — gaps exist for low-volume IPs
+- Free community endpoint: ~50 lookups/day per source IP without a key
+
+## Requirements
+
+- No key required for low-volume community lookups
+- `GREYNOISE_API_KEY` — free community key at https://viz.greynoise.io/account

package/workspace-templates/skills/greynoise/index.ts

@@ -0,0 +1,107 @@
+// skills/greynoise/index.ts
+// Programmatic handler — IP scanner intelligence via GreyNoise community API.
+
+import { ApiSkill } from '../../core/apiSkillBase'
+
+// Community endpoint works with or without a key.
+// We create the skill instance conditionally to avoid sending an empty key header.
+let _skill: ApiSkill | null = null
+
+function getSkill(): ApiSkill {
+  if (_skill) return _skill
+
+  const key = process.env['GREYNOISE_API_KEY']
+
+  _skill = key
+    ? new ApiSkill({
+        name:       'greynoise',
+        baseUrl:    'https://api.greynoise.io/v3',
+        authType:   'header',
+        authHeader: 'key',
+        apiKey:     key,
+        rateLimit:  { requests: 10, windowMs: 60_000 },
+        timeout:    15_000,
+        retries:    2,
+      })
+    : new ApiSkill({
+        name:      'greynoise',
+        baseUrl:   'https://api.greynoise.io/v3',
+        authType:  'none',
+        rateLimit: { requests: 5, windowMs: 60_000 },
+        timeout:   15_000,
+        retries:   2,
+      })
+
+  return _skill
+}
+
+// ── Output types ──────────────────────────────────────────────
+
+export type GreyNoiseClassification = 'benign' | 'malicious' | 'unknown'
+
+export interface GreyNoiseReport {
+  ip:             string
+  noise:          boolean              // true = known mass internet scanner
+  riot:           boolean              // true = trusted benign service (Google, Cloudflare, etc.)
+  classification: GreyNoiseClassification | string
+  name:           string               // actor/org name if known
+  link:           string               // GreyNoise visualiser URL
+  lastSeen:       string
+  message:        string
+  hasKey:         boolean              // whether an API key was used
+}
+
+// ── Public API ────────────────────────────────────────────────
+
+/**
+ * Check whether an IP address is a known internet scanner.
+ *
+ * Uses the GreyNoise Community endpoint (/v3/community/{ip}).
+ * Works without an API key at low volume (~50 lookups/day).
+ * Set GREYNOISE_API_KEY for higher limits.
+ */
+export async function checkIp(ip: string): Promise<GreyNoiseReport> {
+  const trimmed = ip.trim()
+
+  // Basic IPv4/IPv6 sanity check
+  if (!trimmed) throw new Error('greynoise: IP address is required')
+
+  const raw = await getSkill().get(`/community/${encodeURIComponent(trimmed)}`)
+
+  return {
+    ip:             raw.ip             ?? trimmed,
+    noise:          raw.noise          ?? false,
+    riot:           raw.riot           ?? false,
+    classification: raw.classification ?? 'unknown',
+    name:           raw.name           ?? '',
+    link:           raw.link           ?? `https://viz.greynoise.io/ip/${trimmed}`,
+    lastSeen:       raw.last_seen      ?? '',
+    message:        raw.message        ?? '',
+    hasKey:         !!process.env['GREYNOISE_API_KEY'],
+  }
+}
+
+/** Format a GreyNoiseReport as a human-readable summary. */
+export function formatReport(report: GreyNoiseReport): string {
+  const tag = report.riot
+    ? '✅ RIOT (trusted service)'
+    : report.noise
+      ? (report.classification === 'malicious' ? '🚨 MALICIOUS SCANNER' : '🔍 Known scanner')
+      : '⚠️  Not in GreyNoise (may be targeted)'
+
+  const lines = [
+    `IP:             ${report.ip}`,
+    `Tag:            ${tag}`,
+    `Classification: ${report.classification}`,
+    `Noise:          ${report.noise}`,
+    `RIOT:           ${report.riot}`,
+  ]
+
+  if (report.name)     lines.push(`Name:           ${report.name}`)
+  if (report.lastSeen) lines.push(`Last seen:      ${report.lastSeen}`)
+  if (report.message)  lines.push(`Message:        ${report.message}`)
+
+  lines.push(`Profile:        ${report.link}`)
+
+  return lines.join('\n')
+}

package/workspace-templates/skills/greynoise/skill.json

@@ -0,0 +1,25 @@
+{
+  "name": "greynoise",
+  "version": "1.0.0",
+  "description": "Classify IP addresses as internet scanners (benign/malicious) or targeted attackers — filters noise from security alerts",
+  "author": "aiden",
+  "license": "MIT",
+  "tools": [],
+  "trigger_phrases": [],
+  "compatible_agents": [
+    "aiden"
+  ],
+  "min_agent_version": "3.0.0",
+  "tags": [
+    "security",
+    "greynoise",
+    "scanner",
+    "threat-intel",
+    "ip",
+    "osint",
+    "soc",
+    "incident-response",
+    "noise-filtering"
+  ],
+  "created": "2026-04-27T17:11:39.765Z"
+}

package/workspace-templates/skills/haveibeenpwned/SKILL.md

@@ -0,0 +1,100 @@
+---
+name: haveibeenpwned
+description: Check if an email address or username appears in known data breaches using the Have I Been Pwned v3 API
+category: security
+version: 1.0.0
+license: Apache-2.0
+origin: aiden
+tags: security, breach, pwned, email, password, leak, osint, hibp
+env_required:
+  - HIBP_API_KEY
+---
+
+# Have I Been Pwned — Breach Checker
+
+Look up whether an email address has appeared in any publicly known data breaches. Uses the [Have I Been Pwned](https://haveibeenpwned.com) v3 API.
+
+**Requires:** `HIBP_API_KEY` in `.env` — $3.50/month subscription at haveibeenpwned.com/API/Key
+
+## When to Use
+
+- User wants to know if their email was part of a data breach
+- User wants a list of breaches an email was found in
+- User is auditing accounts before a security review
+- User asks "was my email leaked" or "has X been pwned"
+
+## How to Use
+
+### Check a single email for breaches
+
+```powershell
+$email = "user@example.com"
+$key   = $env:HIBP_API_KEY
+$url   = "https://haveibeenpwned.com/api/v3/breachedaccount/$([Uri]::EscapeDataString($email))?truncateResponse=false"
+
+$result = Invoke-RestMethod -Uri $url -Headers @{ "hibp-api-key" = $key } -ErrorAction SilentlyContinue
+
+if ($null -eq $result) {
+    Write-Host "✅ $email was NOT found in any known data breaches."
+} else {
+    Write-Host "⚠️  $email found in $($result.Count) breach(es):"
+    $result | ForEach-Object {
+        Write-Host "   • $($_.Name) ($($_.BreachDate)) — $($_.DataClasses -join ', ')"
+    }
+}
+```
+
+### Check which passwords were exposed (pastes)
+
+```powershell
+$email = "user@example.com"
+$key   = $env:HIBP_API_KEY
+$url   = "https://haveibeenpwned.com/api/v3/pasteaccount/$([Uri]::EscapeDataString($email))"
+
+$result = Invoke-RestMethod -Uri $url -Headers @{ "hibp-api-key" = $key } -ErrorAction SilentlyContinue
+
+if ($null -eq $result) {
+    Write-Host "✅ No paste exposures found for $email"
+} else {
+    Write-Host "Found in $($result.Count) paste(s):"
+    $result | Select-Object Source, Title, Date | Format-Table
+}
+```
+
+### Bulk check a list of emails from a file
+
+```powershell
+$key   = $env:HIBP_API_KEY
+$emails = Get-Content "emails.txt"
+
+foreach ($email in $emails) {
+    Start-Sleep -Milliseconds 1600   # respect 1 req/1.5s rate limit
+    $url = "https://haveibeenpwned.com/api/v3/breachedaccount/$([Uri]::EscapeDataString($email))"
+    $res = Invoke-RestMethod -Uri $url -Headers @{ "hibp-api-key" = $key } -ErrorAction SilentlyContinue
+    $status = if ($res) { "PWNED ($($res.Count) breaches)" } else { "Clean" }
+    Write-Host "$email — $status"
+}
+```
+
+## Examples
+
+**"Check if test@example.com has been in any breaches"**
+→ Run the single-email check above with that address.
+
+**"Was my email leaked in the Adobe breach?"**
+→ Run the single check; then filter: `$result | Where-Object Name -eq 'Adobe'`
+
+**"Check all emails in a file for breaches"**
+→ Use the bulk check snippet — it respects the 1.5s rate limit automatically.
+
+## Cautions
+
+- API key is required — there is no free anonymous tier for the v3 breached-account endpoint
+- Rate limit is 1 request per 1.5 seconds — always add `Start-Sleep -Milliseconds 1600` in loops
+- HTTP 404 means the email was not found (not an error) — `Invoke-RestMethod -ErrorAction SilentlyContinue` handles this silently
+- HIBP does not store plaintext passwords — it only records breach metadata and data class types
+- For password hash checks (k-anonymity model), use the `/range/{hash5}` endpoint — no API key required
+
+## Requirements
+
+- `HIBP_API_KEY` — subscribe at https://haveibeenpwned.com/API/Key ($3.50/month)

package/workspace-templates/skills/haveibeenpwned/index.ts

@@ -0,0 +1,72 @@
+// skills/haveibeenpwned/index.ts
+// Programmatic handler — uses ApiSkill for HTTP, auth, and rate limiting.
+
+import { ApiSkill, requireApiKey } from '../../core/apiSkillBase'
+
+const skill = new ApiSkill({
+  name:       'haveibeenpwned',
+  baseUrl:    'https://haveibeenpwned.com/api/v3',
+  apiKeyEnv:  'HIBP_API_KEY',
+  authType:   'header',
+  authHeader: 'hibp-api-key',
+  rateLimit:  { requests: 1, windowMs: 1_500 },   // 1 req / 1.5 s
+  timeout:    15_000,
+})
+
+export interface Breach {
+  Name:        string
+  BreachDate:  string
+  DataClasses: string[]
+  Description: string
+}
+
+export async function checkEmail(email: string): Promise<string> {
+  requireApiKey('HIBP_API_KEY')
+
+  let breaches: Breach[]
+  try {
+    breaches = await skill.get(
+      `/breachedaccount/${encodeURIComponent(email)}`,
+      { truncateResponse: false },
+    )
+  } catch (e: any) {
+    // 404 → not found (clean)
+    if (e.message.includes('HTTP 404')) {
+      return `✅ ${email} was NOT found in any known data breaches.`
+    }
+    throw e
+  }
+
+  if (!Array.isArray(breaches) || breaches.length === 0) {
+    return `✅ ${email} was NOT found in any known data breaches.`
+  }
+
+  const lines = breaches.map(
+    b => `  • ${b.Name} (${b.BreachDate}) — ${b.DataClasses.join(', ')}`,
+  )
+  return [
+    `⚠️  ${email} found in ${breaches.length} breach(es):`,
+    ...lines,
+  ].join('\n')
+}
+
+export async function checkPastes(email: string): Promise<string> {
+  requireApiKey('HIBP_API_KEY')
+
+  let pastes: any[]
+  try {
+    pastes = await skill.get(`/pasteaccount/${encodeURIComponent(email)}`)
+  } catch (e: any) {
+    if (e.message.includes('HTTP 404')) {
+      return `✅ ${email} was NOT found in any known pastes.`
+    }
+    throw e
+  }
+
+  if (!Array.isArray(pastes) || pastes.length === 0) {
+    return `✅ ${email} was NOT found in any known pastes.`
+  }
+
+  const lines = pastes.map(p => `  • ${p.Source} — ${p.Title ?? 'untitled'} (${p.Date ?? 'unknown date'})`)
+  return [`⚠️  ${email} found in ${pastes.length} paste(s):`, ...lines].join('\n')
+}

package/workspace-templates/skills/haveibeenpwned/skill.json

@@ -0,0 +1,24 @@
+{
+  "name": "haveibeenpwned",
+  "version": "1.0.0",
+  "description": "Check if an email address or username appears in known data breaches using the Have I Been Pwned v3 API",
+  "author": "aiden",
+  "license": "MIT",
+  "tools": [],
+  "trigger_phrases": [],
+  "compatible_agents": [
+    "aiden"
+  ],
+  "min_agent_version": "3.0.0",
+  "tags": [
+    "security",
+    "breach",
+    "pwned",
+    "email",
+    "password",
+    "leak",
+    "osint",
+    "hibp"
+  ],
+  "created": "2026-04-27T17:11:39.790Z"
+}

package/workspace-templates/skills/jupyter-live-kernel/SKILL.md

@@ -0,0 +1,116 @@
+---
+name: jupyter-live-kernel
+description: Execute code in a stateful Jupyter kernel session, maintaining variables across cells using hamelnb or jupyter CLI
+category: developer
+version: 1.0.0
+origin: aiden
+license: Apache-2.0
+tags: jupyter, notebook, kernel, python, data-science, ipython, stateful, cells, pandas
+---
+
+# Jupyter Live Kernel Execution
+
+Run Python code in a persistent Jupyter kernel so that variables, imports, and state carry over between executions — exactly like working in a notebook, but from the CLI.
+
+## When to Use
+
+- User wants to run data analysis across multiple code cells with shared state
+- User wants to explore a dataset step by step
+- User wants to run ML training and inspect intermediate results
+- User wants to execute a `.ipynb` notebook file from the command line
+- User wants to maintain a REPL-like Python session with persistent variables
+
+## How to Use
+
+### 1. Install hamelnb (stateful kernel CLI)
+
+```powershell
+pip install hamelnb
+# or use jupyter directly
+pip install jupyter
+```
+
+### 2. Start a kernel and run cells (hamelnb)
+
+```powershell
+# Start a persistent kernel session (keeps running between calls)
+hamelnb start --name datasession
+
+# Execute a code snippet in the named session
+hamelnb run datasession "import pandas as pd; df = pd.read_csv('data.csv'); print(df.shape)"
+
+# Execute next cell — df variable is still available
+hamelnb run datasession "print(df.describe())"
+
+# Stop session when done
+hamelnb stop datasession
+```
+
+### 3. Execute a notebook file
+
+```powershell
+# Run all cells in a notebook and save output
+jupyter nbconvert --to notebook --execute analysis.ipynb --output analysis_out.ipynb
+
+# Run and convert output to HTML for viewing
+jupyter nbconvert --to html --execute analysis.ipynb --output report.html
+```
+
+### 4. Run Python code in a Jupyter kernel via Python API
+
+```python
+import jupyter_client, queue
+
+km = jupyter_client.KernelManager(kernel_name="python3")
+km.start_kernel()
+kc = km.client()
+kc.start_channels()
+kc.wait_for_ready(timeout=30)
+
+def run_cell(code):
+  kc.execute(code)
+  outputs = []
+  while True:
+    try:
+      msg = kc.get_iopub_msg(timeout=10)
+      if msg["msg_type"] == "stream":
+        outputs.append(msg["content"]["text"])
+      elif msg["msg_type"] == "execute_result":
+        outputs.append(msg["content"]["data"].get("text/plain",""))
+      elif msg["msg_type"] == "status" and msg["content"]["execution_state"] == "idle":
+        break
+    except queue.Empty:
+      break
+  return "".join(outputs)
+
+print(run_cell("import pandas as pd; df = pd.read_csv('data.csv'); df.shape"))
+print(run_cell("df.describe()"))   # df is still in scope!
+km.shutdown_kernel()
+```
+
+### 5. Inject variables into a running kernel
+
+```python
+# Use run_cell from step 4 to inject values
+run_cell("x = 42; y = [1, 2, 3]")
+result = run_cell("print(x * 2, sum(y))")
+```
+
+## Examples
+
+**"Load sales.csv and show the top 10 rows, then plot revenue by month"**
+→ Use step 4: run cell 1 to load and preview the CSV, run cell 2 to group by month and show results — `df` persists between calls.
+
+**"Execute my analysis.ipynb notebook and give me the output"**
+→ Use step 3 with `jupyter nbconvert --to notebook --execute`.
+
+**"Explore the wine quality dataset — check correlations step by step"**
+→ Use hamelnb (step 2) to build up analysis iteratively with named session.
+
+## Cautions
+
+- Kernel sessions consume memory for as long as they run — always `km.shutdown_kernel()` when done
+- Long-running cells (ML training) will block until complete — set reasonable timeouts
+- `nbconvert --execute` re-runs all cells from scratch — it does not resume a previous state
+- hamelnb is a third-party tool — verify it is installed with `pip show hamelnb` before use
+- Never pass user secrets as inline code strings — use environment variables or config files instead

package/workspace-templates/skills/jupyter-live-kernel/skill.json

@@ -0,0 +1,25 @@
+{
+  "name": "jupyter-live-kernel",
+  "version": "1.0.0",
+  "description": "Execute code in a stateful Jupyter kernel session, maintaining variables across cells using hamelnb or jupyter CLI",
+  "author": "aiden",
+  "license": "MIT",
+  "tools": [],
+  "trigger_phrases": [],
+  "compatible_agents": [
+    "aiden"
+  ],
+  "min_agent_version": "3.0.0",
+  "tags": [
+    "jupyter",
+    "notebook",
+    "kernel",
+    "python",
+    "data-science",
+    "ipython",
+    "stateful",
+    "cells",
+    "pandas"
+  ],
+  "created": "2026-04-27T17:11:39.871Z"
+}

package/workspace-templates/skills/linear/SKILL.md

@@ -0,0 +1,107 @@
+---
+name: linear
+description: Manage Linear issues, projects, and cycles via the Linear GraphQL API
+category: productivity
+version: 1.0.0
+origin: aiden
+license: Apache-2.0
+tags: linear, issues, project-management, graphql, engineering, sprint, cycle, team, tasks
+---
+
+# Linear Issue Tracking
+
+Query and mutate Linear data — issues, projects, cycles, and teams — using the Linear GraphQL API. Requires `LINEAR_API_KEY` set as an environment variable.
+
+## When to Use
+
+- User wants to list open issues in a Linear team or project
+- User wants to create a new Linear issue
+- User wants to update issue status or priority
+- User wants to see issues assigned to them
+- User wants to look up current cycle/sprint progress
+
+## How to Use
+
+### 1. Set API key
+
+Generate a Personal API key at https://linear.app/settings/api — select `read` and `write` scopes.
+
+```powershell
+$env:LINEAR_API_KEY = "lin_api_..."
+```
+
+### 2. Run a GraphQL query helper
+
+All Linear API calls are POST to `https://api.linear.app/graphql`.
+
+```powershell
+function Invoke-Linear($query, $variables = @{}) {
+  $body    = @{ query = $query; variables = $variables } | ConvertTo-Json -Depth 10
+  $headers = @{ "Authorization" = $env:LINEAR_API_KEY; "Content-Type" = "application/json" }
+  (Invoke-RestMethod -Uri "https://api.linear.app/graphql" -Method Post -Headers $headers -Body $body).data
+}
+```
+
+### 3. List my assigned issues
+
+```powershell
+$q = '{ viewer { assignedIssues(first: 20, filter: { state: { type: { in: ["started","unstarted"] } } }) { nodes { identifier title priority state { name } } } } }'
+(Invoke-Linear $q).viewer.assignedIssues.nodes | Format-Table identifier, title, priority
+```
+
+### 4. List issues in a team
+
+```powershell
+$q = 'query($key:String!) { team(key:$key) { issues(first:30, filter:{state:{type:{in:["started","unstarted"]}}}) { nodes { identifier title assignee { name } state { name } } } } }'
+(Invoke-Linear $q @{ key = "ENG" }).team.issues.nodes | Format-Table identifier, title
+```
+
+### 5. Create a new issue
+
+```powershell
+# First get teamId
+$teamQ = '{ teams { nodes { id key name } } }'
+$teams = (Invoke-Linear $teamQ).teams.nodes
+$teamId = ($teams | Where-Object key -eq "ENG").id
+
+$mutation = 'mutation($input:IssueCreateInput!) { issueCreate(input:$input) { issue { identifier title url } } }'
+$vars = @{ input = @{ teamId = $teamId; title = "Fix login timeout bug"; description = "Users are being logged out after 5 min of inactivity."; priority = 2 } }
+(Invoke-Linear $mutation $vars).issueCreate.issue
+```
+
+### 6. Update issue state
+
+```powershell
+# Get state IDs for the team first
+$stateQ = 'query($key:String!) { team(key:$key) { states { nodes { id name } } } }'
+$states = (Invoke-Linear $stateQ @{ key = "ENG" }).team.states.nodes
+$doneId = ($states | Where-Object name -eq "Done").id
+
+$mutation = 'mutation($id:String! $stateId:String!) { issueUpdate(id:$id input:{stateId:$stateId}) { issue { identifier state { name } } } }'
+(Invoke-Linear $mutation @{ id = "ENG-42"; stateId = $doneId }).issueUpdate.issue
+```
+
+### 7. List current cycle
+
+```powershell
+$q = 'query($key:String!) { team(key:$key) { activeCycle { name startsAt endsAt progress issues(first:50) { nodes { identifier title state { name } } } } } }'
+(Invoke-Linear $q @{ key = "ENG" }).team.activeCycle | Select-Object name, progress
+```
+
+## Examples
+
+**"Show me all my open Linear issues"**
+→ Use steps 2–3 to list viewer's assigned unstarted/in-progress issues.
+
+**"Create a Linear issue: 'Update onboarding flow' in the PRODUCT team"**
+→ Use step 5 — fetch team ID for PRODUCT, then create with given title.
+
+**"What's the progress on the current sprint?"**
+→ Use step 7 — ask user for their team key, then show activeCycle progress.
+
+## Cautions
+
+- Linear API keys are personal — they act as the user who created them
+- Priority values: 0=No priority, 1=Urgent, 2=High, 3=Medium, 4=Low
+- Issue IDs look like `ENG-42` but mutations need the UUID — always fetch UUID from the issues list
+- GraphQL depth limit is ~6 levels — avoid deeply nested queries