patchrelay 0.1.0

package/dist/installation-ports.js

@@ -0,0 +1 @@
+export {};

package/dist/issue-query-service.js

@@ -0,0 +1,68 @@
+import { summarizeCurrentThread } from "./stage-reporting.js";
+import { safeJsonParse } from "./utils.js";
+export class IssueQueryService {
+    stores;
+    codex;
+    stageFinalizer;
+    constructor(stores, codex, stageFinalizer) {
+        this.stores = stores;
+        this.codex = codex;
+        this.stageFinalizer = stageFinalizer;
+    }
+    async getIssueOverview(issueKey) {
+        const result = this.stores.issueWorkflows.getIssueOverview(issueKey);
+        if (!result) {
+            return undefined;
+        }
+        const activeStatus = await this.stageFinalizer.getActiveStageStatus(issueKey);
+        const activeStageRun = activeStatus?.stageRun ?? result.activeStageRun;
+        const latestStageRun = this.stores.issueWorkflows.getLatestStageRunForIssue(result.issue.projectId, result.issue.linearIssueId);
+        let liveThread;
+        if (activeStatus?.liveThread) {
+            liveThread = activeStatus.liveThread;
+        }
+        else if (activeStageRun?.threadId) {
+            liveThread = await this.codex.readThread(activeStageRun.threadId, true).then(summarizeCurrentThread).catch(() => undefined);
+        }
+        return {
+            ...result,
+            ...(activeStageRun ? { activeStageRun } : {}),
+            ...(latestStageRun ? { latestStageRun } : {}),
+            ...(liveThread ? { liveThread } : {}),
+        };
+    }
+    async getIssueReport(issueKey) {
+        const issue = this.stores.issueWorkflows.getTrackedIssueByKey(issueKey);
+        if (!issue) {
+            return undefined;
+        }
+        return {
+            issue,
+            stages: this.stores.issueWorkflows.listStageRunsForIssue(issue.projectId, issue.linearIssueId).map((stageRun) => ({
+                stageRun,
+                ...(stageRun.reportJson ? { report: JSON.parse(stageRun.reportJson) } : {}),
+            })),
+        };
+    }
+    async getStageEvents(issueKey, stageRunId) {
+        const issue = this.stores.issueWorkflows.getTrackedIssueByKey(issueKey);
+        if (!issue) {
+            return undefined;
+        }
+        const stageRun = this.stores.issueWorkflows.getStageRun(stageRunId);
+        if (!stageRun || stageRun.projectId !== issue.projectId || stageRun.linearIssueId !== issue.linearIssueId) {
+            return undefined;
+        }
+        return {
+            issue,
+            stageRun,
+            events: this.stores.stageEvents.listThreadEvents(stageRunId).map((event) => ({
+                ...event,
+                parsedEvent: safeJsonParse(event.eventJson),
+            })),
+        };
+    }
+    async getActiveStageStatus(issueKey) {
+        return await this.stageFinalizer.getActiveStageStatus(issueKey);
+    }
+}

package/dist/ledger-ports.js

@@ -0,0 +1 @@
+export {};

package/dist/linear-client.js

@@ -0,0 +1,338 @@
+import { refreshLinearOAuthToken } from "./linear-oauth.js";
+import { decryptSecret, encryptSecret } from "./token-crypto.js";
+export class LinearGraphqlClient {
+    options;
+    logger;
+    constructor(options, logger) {
+        this.options = options;
+        this.logger = logger;
+    }
+    async getIssue(issueId) {
+        const response = await this.request(`
+      query PatchRelayIssue($id: String!) {
+        issue(id: $id) {
+          id
+          identifier
+          title
+          url
+          state {
+            id
+            name
+          }
+          labels {
+            nodes {
+              id
+              name
+            }
+          }
+          team {
+            id
+            key
+            states {
+              nodes {
+                id
+                name
+                type
+              }
+            }
+            labels {
+              nodes {
+                id
+                name
+              }
+            }
+          }
+        }
+      }
+      `, { id: issueId });
+        if (!response.issue) {
+            throw new Error(`Linear issue ${issueId} was not found`);
+        }
+        return this.mapIssue(response.issue);
+    }
+    async setIssueState(issueId, stateName) {
+        const issue = await this.getIssue(issueId);
+        const state = issue.workflowStates.find((entry) => entry.name.trim().toLowerCase() === stateName.trim().toLowerCase());
+        if (!state) {
+            throw new Error(`Linear state "${stateName}" was not found for issue ${issue.identifier ?? issueId}`);
+        }
+        const response = await this.request(`
+      mutation PatchRelaySetIssueState($id: String!, $stateId: String!) {
+        issueUpdate(id: $id, input: { stateId: $stateId }) {
+          success
+          issue {
+            id
+            identifier
+            title
+            url
+            state {
+              id
+              name
+            }
+            labels {
+              nodes {
+                id
+                name
+              }
+            }
+            team {
+              id
+              key
+              states {
+                nodes {
+                  id
+                  name
+                  type
+                }
+              }
+              labels {
+                nodes {
+                  id
+                  name
+                }
+              }
+            }
+          }
+        }
+      }
+      `, { id: issueId, stateId: state.id });
+        if (!response.issueUpdate.success || !response.issueUpdate.issue) {
+            throw new Error(`Linear rejected state update for issue ${issue.identifier ?? issueId}`);
+        }
+        return this.mapIssue(response.issueUpdate.issue);
+    }
+    async upsertIssueComment(params) {
+        if (params.commentId) {
+            const response = await this.request(`
+        mutation PatchRelayUpdateComment($id: String!, $body: String!) {
+          commentUpdate(id: $id, input: { body: $body }) {
+            success
+            comment {
+              id
+              body
+            }
+          }
+        }
+        `, { id: params.commentId, body: params.body });
+            if (response.commentUpdate.success && response.commentUpdate.comment) {
+                return response.commentUpdate.comment;
+            }
+        }
+        const response = await this.request(`
+      mutation PatchRelayCreateComment($issueId: String!, $body: String!) {
+        commentCreate(input: { issueId: $issueId, body: $body }) {
+          success
+          comment {
+            id
+            body
+          }
+        }
+      }
+      `, { issueId: params.issueId, body: params.body });
+        if (!response.commentCreate.success || !response.commentCreate.comment) {
+            throw new Error(`Linear rejected comment upsert for issue ${params.issueId}`);
+        }
+        return response.commentCreate.comment;
+    }
+    async createAgentActivity(params) {
+        const response = await this.request(`
+      mutation PatchRelayCreateAgentActivity($input: AgentActivityCreateInput!) {
+        agentActivityCreate(input: $input) {
+          success
+          agentActivity {
+            id
+          }
+        }
+      }
+      `, {
+            input: {
+                agentSessionId: params.agentSessionId,
+                content: params.content,
+                ephemeral: params.ephemeral ?? false,
+            },
+        });
+        if (!response.agentActivityCreate.success || !response.agentActivityCreate.agentActivity) {
+            throw new Error(`Linear rejected agent activity for session ${params.agentSessionId}`);
+        }
+        return response.agentActivityCreate.agentActivity;
+    }
+    async updateIssueLabels(params) {
+        const issue = await this.getIssue(params.issueId);
+        const addIds = this.resolveLabelIds(issue, params.addNames ?? []);
+        const removeIds = this.resolveLabelIds(issue, params.removeNames ?? []);
+        if (addIds.length === 0 && removeIds.length === 0) {
+            return issue;
+        }
+        const response = await this.request(`
+      mutation PatchRelayUpdateIssueLabels($id: String!, $addedLabelIds: [String!], $removedLabelIds: [String!]) {
+        issueUpdate(id: $id, input: { addedLabelIds: $addedLabelIds, removedLabelIds: $removedLabelIds }) {
+          success
+          issue {
+            id
+            identifier
+            title
+            url
+            state {
+              id
+              name
+            }
+            labels {
+              nodes {
+                id
+                name
+              }
+            }
+            team {
+              id
+              key
+              states {
+                nodes {
+                  id
+                  name
+                  type
+                }
+              }
+              labels {
+                nodes {
+                  id
+                  name
+                }
+              }
+            }
+          }
+        }
+      }
+      `, {
+            id: params.issueId,
+            addedLabelIds: addIds,
+            removedLabelIds: removeIds,
+        });
+        if (!response.issueUpdate.success || !response.issueUpdate.issue) {
+            throw new Error(`Linear rejected label update for issue ${issue.identifier ?? params.issueId}`);
+        }
+        return this.mapIssue(response.issueUpdate.issue);
+    }
+    async getActorProfile() {
+        const response = await this.request(`
+      query PatchRelayViewer {
+        viewer {
+          id
+          name
+        }
+      }
+      `, {});
+        return {
+            ...(response.viewer?.id ? { actorId: response.viewer.id } : {}),
+            ...(response.viewer?.name ? { actorName: response.viewer.name } : {}),
+        };
+    }
+    async request(query, variables) {
+        const response = await fetch(this.options.graphqlUrl, {
+            method: "POST",
+            headers: {
+                "content-type": "application/json",
+                authorization: `Bearer ${this.options.accessToken}`,
+            },
+            body: JSON.stringify({
+                query,
+                variables,
+            }),
+        });
+        if (!response.ok) {
+            throw new Error(`Linear API request failed with HTTP ${response.status}`);
+        }
+        const payload = (await response.json());
+        if (payload.errors?.length) {
+            const message = payload.errors.map((error) => error.message ?? "Unknown GraphQL error").join("; ");
+            this.logger.warn({ message }, "Linear GraphQL returned errors");
+            throw new Error(message);
+        }
+        if (!payload.data) {
+            throw new Error("Linear API returned no data");
+        }
+        return payload.data;
+    }
+    mapIssue(issue) {
+        const labels = (issue.labels?.nodes ?? []).map((label) => ({ id: label.id, name: label.name }));
+        const teamLabels = (issue.team?.labels?.nodes ?? []).map((label) => ({ id: label.id, name: label.name }));
+        return {
+            id: issue.id,
+            ...(issue.identifier ? { identifier: issue.identifier } : {}),
+            ...(issue.title ? { title: issue.title } : {}),
+            ...(issue.url ? { url: issue.url } : {}),
+            ...(issue.state?.id ? { stateId: issue.state.id } : {}),
+            ...(issue.state?.name ? { stateName: issue.state.name } : {}),
+            ...(issue.team?.id ? { teamId: issue.team.id } : {}),
+            ...(issue.team?.key ? { teamKey: issue.team.key } : {}),
+            workflowStates: (issue.team?.states?.nodes ?? []).map((state) => ({
+                id: state.id,
+                name: state.name,
+                ...(state.type ? { type: state.type } : {}),
+            })),
+            labelIds: labels.map((label) => label.id),
+            labels,
+            teamLabels,
+        };
+    }
+    resolveLabelIds(issue, names) {
+        const wanted = new Set(names.map((name) => name.trim().toLowerCase()).filter(Boolean));
+        if (wanted.size === 0) {
+            return [];
+        }
+        const labelIds = issue.teamLabels
+            .filter((label) => wanted.has(label.name.trim().toLowerCase()))
+            .map((label) => label.id);
+        const missing = [...wanted].filter((name) => !issue.teamLabels.some((label) => label.name.trim().toLowerCase() === name));
+        if (missing.length > 0) {
+            this.logger.warn({ issueId: issue.id, missing }, "PatchRelay skipped missing configured Linear labels");
+        }
+        return labelIds;
+    }
+}
+export class DatabaseBackedLinearClientProvider {
+    config;
+    db;
+    logger;
+    constructor(config, db, logger) {
+        this.config = config;
+        this.db = db;
+        this.logger = logger;
+    }
+    async forProject(projectId) {
+        const link = this.db.linearInstallations.getProjectInstallation(projectId);
+        if (link) {
+            const installation = this.db.linearInstallations.getLinearInstallation(link.installationId);
+            if (!installation) {
+                return undefined;
+            }
+            const encryptionKey = this.config.linear.tokenEncryptionKey;
+            let accessToken = decryptSecret(installation.accessTokenCiphertext, encryptionKey);
+            const refreshToken = installation.refreshTokenCiphertext
+                ? decryptSecret(installation.refreshTokenCiphertext, encryptionKey)
+                : undefined;
+            if (shouldRefreshToken(installation.expiresAt) && refreshToken) {
+                const refreshed = await refreshLinearOAuthToken(this.config, refreshToken);
+                accessToken = refreshed.accessToken;
+                this.db.linearInstallations.updateLinearInstallationTokens(installation.id, {
+                    accessTokenCiphertext: encryptSecret(refreshed.accessToken, encryptionKey),
+                    ...(refreshed.refreshToken
+                        ? { refreshTokenCiphertext: encryptSecret(refreshed.refreshToken, encryptionKey) }
+                        : {}),
+                    scopesJson: JSON.stringify(refreshed.scopes),
+                    ...(refreshed.expiresAt ? { expiresAt: refreshed.expiresAt } : {}),
+                });
+            }
+            return new LinearGraphqlClient({
+                accessToken,
+                graphqlUrl: this.config.linear.graphqlUrl,
+            }, this.logger);
+        }
+        return undefined;
+    }
+}
+function shouldRefreshToken(expiresAt) {
+    if (!expiresAt) {
+        return false;
+    }
+    return Date.parse(expiresAt) <= Date.now() + 5 * 60 * 1000;
+}

package/dist/linear-oauth-service.js

@@ -0,0 +1,131 @@
+import { createLinearOAuthUrl, createOAuthStateToken, installLinearOAuthCode } from "./linear-oauth.js";
+const LINEAR_OAUTH_STATE_TTL_MS = 15 * 60 * 1000;
+function oauthStateExpired(createdAt) {
+    const createdAtMs = Date.parse(createdAt);
+    return !Number.isFinite(createdAtMs) || createdAtMs + LINEAR_OAUTH_STATE_TTL_MS < Date.now();
+}
+export class LinearOAuthService {
+    config;
+    stores;
+    logger;
+    constructor(config, stores, logger) {
+        this.config = config;
+        this.stores = stores;
+        this.logger = logger;
+    }
+    createStart(params) {
+        if (params?.projectId && !this.config.projects.some((project) => project.id === params.projectId)) {
+            throw new Error(`Unknown project: ${params.projectId}`);
+        }
+        if (params?.projectId) {
+            const existingLink = this.stores.linearInstallations.getProjectInstallation(params.projectId);
+            if (existingLink) {
+                const installation = this.stores.linearInstallations.getLinearInstallation(existingLink.installationId);
+                if (installation) {
+                    return {
+                        completed: true,
+                        reusedExisting: true,
+                        projectId: params.projectId,
+                        installation: this.getInstallationSummary(installation),
+                    };
+                }
+            }
+            const installations = this.stores.linearInstallations.listLinearInstallations();
+            if (installations.length === 1) {
+                const installation = installations[0];
+                if (installation) {
+                    this.stores.linearInstallations.linkProjectInstallation(params.projectId, installation.id);
+                    return {
+                        completed: true,
+                        reusedExisting: true,
+                        projectId: params.projectId,
+                        installation: this.getInstallationSummary(installation),
+                    };
+                }
+            }
+        }
+        const state = createOAuthStateToken();
+        const record = this.stores.linearInstallations.createOAuthState({
+            provider: "linear",
+            state,
+            redirectUri: this.config.linear.oauth.redirectUri,
+            actor: this.config.linear.oauth.actor,
+            ...(params?.projectId ? { projectId: params.projectId } : {}),
+        });
+        return {
+            state,
+            authorizeUrl: createLinearOAuthUrl(this.config, record.state, record.redirectUri, record.projectId),
+            redirectUri: record.redirectUri,
+            ...(record.projectId ? { projectId: record.projectId } : {}),
+        };
+    }
+    async complete(params) {
+        const oauthState = this.stores.linearInstallations.getOAuthState(params.state);
+        if (!oauthState || oauthState.consumedAt) {
+            throw new Error("OAuth state was not found or has already been consumed");
+        }
+        if (oauthStateExpired(oauthState.createdAt)) {
+            this.stores.linearInstallations.finalizeOAuthState({
+                state: params.state,
+                status: "failed",
+                errorMessage: "OAuth state expired",
+            });
+            throw new Error("OAuth state has expired. Start the connection flow again.");
+        }
+        try {
+            const installation = await installLinearOAuthCode({
+                config: this.config,
+                db: this.stores.linearInstallations,
+                logger: this.logger,
+                code: params.code,
+                redirectUri: oauthState.redirectUri,
+                ...(oauthState.projectId ? { projectId: oauthState.projectId } : {}),
+            });
+            this.stores.linearInstallations.finalizeOAuthState({
+                state: params.state,
+                status: "completed",
+                installationId: installation.id,
+            });
+            return installation;
+        }
+        catch (error) {
+            this.stores.linearInstallations.finalizeOAuthState({
+                state: params.state,
+                status: "failed",
+                errorMessage: error instanceof Error ? error.message : String(error),
+            });
+            throw error;
+        }
+    }
+    getStateStatus(state) {
+        const oauthState = this.stores.linearInstallations.getOAuthState(state);
+        if (!oauthState) {
+            return undefined;
+        }
+        const installation = oauthState.installationId !== undefined ? this.stores.linearInstallations.getLinearInstallation(oauthState.installationId) : undefined;
+        return {
+            state: oauthState.state,
+            status: oauthState.status,
+            ...(oauthState.projectId ? { projectId: oauthState.projectId } : {}),
+            ...(installation ? { installation: this.getInstallationSummary(installation) } : {}),
+            ...(oauthState.errorMessage ? { errorMessage: oauthState.errorMessage } : {}),
+        };
+    }
+    listInstallations() {
+        const links = this.stores.linearInstallations.listProjectInstallations();
+        return this.stores.linearInstallations.listLinearInstallations().map((installation) => ({
+            installation: this.getInstallationSummary(installation),
+            linkedProjects: links.filter((link) => link.installationId === installation.id).map((link) => link.projectId),
+        }));
+    }
+    getInstallationSummary(installation) {
+        return {
+            id: installation.id,
+            ...(installation.workspaceName ? { workspaceName: installation.workspaceName } : {}),
+            ...(installation.workspaceKey ? { workspaceKey: installation.workspaceKey } : {}),
+            ...(installation.actorName ? { actorName: installation.actorName } : {}),
+            ...(installation.actorId ? { actorId: installation.actorId } : {}),
+            ...(installation.expiresAt ? { expiresAt: installation.expiresAt } : {}),
+        };
+    }
+}

package/dist/linear-oauth.js

@@ -0,0 +1,154 @@
+import crypto from "node:crypto";
+import { encryptSecret } from "./token-crypto.js";
+const DEFAULT_LINEAR_AUTHORIZE_URL = "https://linear.app/oauth/authorize";
+const DEFAULT_LINEAR_TOKEN_URL = "https://api.linear.app/oauth/token";
+export function createOAuthStateToken() {
+    return crypto.randomBytes(24).toString("hex");
+}
+export function createLinearOAuthUrl(config, state, redirectUri, _projectId) {
+    const url = new URL(DEFAULT_LINEAR_AUTHORIZE_URL);
+    url.searchParams.set("client_id", config.linear.oauth.clientId);
+    url.searchParams.set("redirect_uri", redirectUri ?? config.linear.oauth.redirectUri);
+    url.searchParams.set("response_type", "code");
+    url.searchParams.set("scope", config.linear.oauth.scopes.join(" "));
+    url.searchParams.set("state", state);
+    url.searchParams.set("prompt", "consent");
+    url.searchParams.set("actor", config.linear.oauth.actor);
+    return url.toString();
+}
+export async function exchangeLinearOAuthCode(config, params) {
+    const response = await fetch(DEFAULT_LINEAR_TOKEN_URL, {
+        method: "POST",
+        headers: {
+            "content-type": "application/json",
+        },
+        body: JSON.stringify({
+            grant_type: "authorization_code",
+            code: params.code,
+            client_id: config.linear.oauth.clientId,
+            client_secret: config.linear.oauth.clientSecret,
+            redirect_uri: params.redirectUri,
+        }),
+    });
+    const payload = (await response.json().catch(() => undefined));
+    if (!response.ok || !payload) {
+        throw new Error(`Linear OAuth code exchange failed with HTTP ${response.status}`);
+    }
+    const accessToken = typeof payload.access_token === "string" ? payload.access_token : undefined;
+    if (!accessToken) {
+        throw new Error("Linear OAuth response did not include access_token");
+    }
+    const expiresIn = typeof payload.expires_in === "number" ? payload.expires_in : undefined;
+    const expiresAt = expiresIn ? new Date(Date.now() + expiresIn * 1000).toISOString() : undefined;
+    return {
+        accessToken,
+        ...(typeof payload.refresh_token === "string" ? { refreshToken: payload.refresh_token } : {}),
+        ...(expiresAt ? { expiresAt } : {}),
+        scopes: typeof payload.scope === "string"
+            ? payload.scope.split(/[,\s]+/).filter(Boolean)
+            : config.linear.oauth.scopes,
+    };
+}
+export async function refreshLinearOAuthToken(config, refreshToken) {
+    const response = await fetch(DEFAULT_LINEAR_TOKEN_URL, {
+        method: "POST",
+        headers: {
+            "content-type": "application/json",
+        },
+        body: JSON.stringify({
+            grant_type: "refresh_token",
+            refresh_token: refreshToken,
+            client_id: config.linear.oauth.clientId,
+            client_secret: config.linear.oauth.clientSecret,
+        }),
+    });
+    const payload = (await response.json().catch(() => undefined));
+    if (!response.ok || !payload) {
+        throw new Error(`Linear OAuth token refresh failed with HTTP ${response.status}`);
+    }
+    const accessToken = typeof payload.access_token === "string" ? payload.access_token : undefined;
+    if (!accessToken) {
+        throw new Error("Linear OAuth refresh response did not include access_token");
+    }
+    const expiresIn = typeof payload.expires_in === "number" ? payload.expires_in : undefined;
+    const expiresAt = expiresIn ? new Date(Date.now() + expiresIn * 1000).toISOString() : undefined;
+    return {
+        accessToken,
+        ...(typeof payload.refresh_token === "string" ? { refreshToken: payload.refresh_token } : {}),
+        ...(expiresAt ? { expiresAt } : {}),
+        scopes: typeof payload.scope === "string"
+            ? payload.scope.split(/[,\s]+/).filter(Boolean)
+            : config.linear.oauth.scopes,
+    };
+}
+export async function fetchLinearViewerIdentity(graphqlUrl, accessToken, logger) {
+    const response = await fetch(graphqlUrl, {
+        method: "POST",
+        headers: {
+            "content-type": "application/json",
+            authorization: `Bearer ${accessToken}`,
+        },
+        body: JSON.stringify({
+            query: `
+        query PatchRelayLinearViewer {
+          viewer {
+            id
+            name
+          }
+          teams {
+            nodes {
+              id
+              name
+              key
+            }
+          }
+        }
+      `,
+        }),
+    });
+    const payload = (await response.json().catch(() => undefined));
+    if (!response.ok || !payload?.data) {
+        throw new Error(`Linear viewer lookup failed with HTTP ${response.status}`);
+    }
+    const teams = payload.data.teams?.nodes ?? [];
+    const firstTeam = teams.find((team) => team?.id || team?.name || team?.key);
+    const result = {
+        ...(firstTeam?.id ? { workspaceId: firstTeam.id } : {}),
+        ...(firstTeam?.name ? { workspaceName: firstTeam.name } : {}),
+        ...(firstTeam?.key ? { workspaceKey: firstTeam.key } : {}),
+        ...(payload.data.viewer?.id ? { actorId: payload.data.viewer.id } : {}),
+        ...(payload.data.viewer?.name ? { actorName: payload.data.viewer.name } : {}),
+    };
+    logger.debug({
+        workspaceId: result.workspaceId,
+        workspaceName: result.workspaceName,
+        actorId: result.actorId,
+        actorName: result.actorName,
+    }, "Resolved Linear OAuth identity");
+    return result;
+}
+export async function installLinearOAuthCode(params) {
+    const tokenSet = await exchangeLinearOAuthCode(params.config, {
+        code: params.code,
+        redirectUri: params.redirectUri,
+    });
+    const identity = await fetchLinearViewerIdentity(params.config.linear.graphqlUrl, tokenSet.accessToken, params.logger);
+    const installation = params.db.upsertLinearInstallation({
+        ...(identity.workspaceId ? { workspaceId: identity.workspaceId } : {}),
+        ...(identity.workspaceName ? { workspaceName: identity.workspaceName } : {}),
+        ...(identity.workspaceKey ? { workspaceKey: identity.workspaceKey } : {}),
+        ...(identity.actorId ? { actorId: identity.actorId } : {}),
+        ...(identity.actorName ? { actorName: identity.actorName } : {}),
+        accessTokenCiphertext: encryptSecret(tokenSet.accessToken, params.config.linear.tokenEncryptionKey),
+        ...(tokenSet.refreshToken
+            ? { refreshTokenCiphertext: encryptSecret(tokenSet.refreshToken, params.config.linear.tokenEncryptionKey) }
+            : {}),
+        scopesJson: JSON.stringify(tokenSet.scopes),
+        ...(tokenSet.tokenType ? { tokenType: tokenSet.tokenType } : { tokenType: "Bearer" }),
+        ...(tokenSet.expiresAt ? { expiresAt: tokenSet.expiresAt } : {}),
+    });
+    if (params.projectId) {
+        params.db.linkProjectInstallation(params.projectId, installation.id);
+    }
+    return installation;
+}