Add OAuth app and webhook management#34
Open
itz4blitz wants to merge 3 commits into
Open
Conversation
… precision - Validate webhook args before the sanitizing try in create/update handlers so invalid-args failures are labeled as such instead of as omitted Linear errors - State the teamId-XOR-allPublicTeams rule and public-HTTPS requirement in the createWebhook description and encode it as a source-level anyOf - Document the app-only scope and admin/actor rules on generateOAuthAuthorizationUrl - Narrow the IPv4 deny-list from 192.0.0.0/16 to the reserved /24s and add TEST-NET-2/3; derive schema maxItems from the shared constants - Cover the full public-URL deny/allow matrix, token-endpoint HTTP failure and invalid-JSON branches, and invalid-args-with-secret labeling in tests
itz4blitz
force-pushed
the
justin/oauth-app-webhook-management
branch
from
July 12, 2026 14:11
ac8568d to
d408b70
Compare
itz4blitz
marked this pull request as ready for review
July 12, 2026 14:12
This was referenced Jul 12, 2026
Contributor
Author
|
@beautyfree Heads up — alongside this PR I've opened three more, all independent and reviewable in any order:
Suggested merge order: this one and #35 in either order, then #36/#37 (I'll rebase those promptly if this PR lands first, as they touch some of the same files). Happy to split, trim, or adjust any of them however you prefer. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add an end-to-end OAuth application and webhook management surface for agent and CI pipelines.
client_credentialstoken issuance for non-interactive GitHub/agent pipelines.teamIdorallPublicTeams: true, unique non-empty resource names, and a publicly reachable HTTPS destination; OAuth installation webhooks retain Linear's exact 22-value enum.LINEAR_OAUTH_ACCESS_TOKENand--oauth-tokenwhile preserving API-key behavior and explicit CLI precedence.@linear/sdkto 88.1.0 and bump the package to 1.4.0.Linear API behavior represented truthfully
linear_generateOAuthApplicationSetupreturns the official manifest/setup URL and says that an admin must confirm it.LinearClientmethods, so this PR keeps their raw GraphQL slice narrow and documented./oauth/authorizeor/oauth/token; they are not mutable app fields.admin. Workspace webhook administration therefore may need a separate MCP server entry authenticated with a workspace-admin API key or eligible user-actor token.References: OAuth 2.0, OAuth app manifests, agent scopes, and webhooks.
Safety and validation
confirmSecretExposure: true.confirmScopeChangeRisk: true.isDiffHiddenupdate input compatibility is preserved across the SDK upgrade.TDD / verification
npm test— 26 suites, 187 tests passed.npm run build— passed.npm pack --dry-run— passed.git diff --check— passed.Successful live Linear mutations were not run because this checkout had no Linear API or OAuth credential. No workspace resources were created.
DEVELOPMENT.mdnow documents using temporary child apps/webhooks and cleaning them up for a credentialed live pass.npm run lintremains unavailable on currentmain: ESLint 9 is configured without aneslint.config.*file. This PR does not expand scope into the existing lint-tooling issue.