chore(linear): address PR #87 nice-to-have review items

- linear_reactions: log a single DEBUG line when the auth circuit
  breaker short-circuits a call, so the path isn't zero-trace once
  open.
- config: split the `(BotoCoreError, ClientError)` catch so
  `AccessDeniedException` logs at ERROR instead of WARN — IAM
  misconfig is persistent and should page someone, not blend into
  transient warnings. Also drop the personal name from the inline
  reference to the #63 review.
- linear-webhook-processor: tighten `buildCreateTaskFailureMessage`
  param types to `number` / `string` (no `| undefined`) — the only
  caller passes `APIGatewayProxyResult` fields which are always
  defined. Removes dead fallback-to-`'unknown'` branches.
- test_config: 2 new tests covering the split exception path
  (AccessDenied → ERROR; ResourceNotFound → WARN).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: bgagent

agent/src/config.py

@@ -75,11 +75,18 @@ def resolve_linear_api_token() -> str:
         if token:
             os.environ["LINEAR_API_TOKEN"] = token
         return token
-    except (BotoCoreError, ClientError) as e:
+    except ClientError as e:
+        # Narrowed from a broader `except` per #63 review — broader catches
+        # hid genuine bugs in the Secrets Manager call shape. AccessDenied
+        # is logged at ERROR because it's a persistent IAM misconfig that
+        # should page someone, not a transient blip.
+        code = e.response.get("Error", {}).get("Code", "")
+        severity = "ERROR" if code == "AccessDeniedException" else "WARN"
+        log(severity, f"resolve_linear_api_token failed: {type(e).__name__}: {e}")
+        return ""
+    except BotoCoreError as e:
         # Never let a Secrets Manager outage crash the agent. The Linear MCP
-        # will simply fail on first call with a clear auth error. Narrowed
-        # to botocore exceptions per Alain's #63 review — broader `except`
-        # hid genuine bugs in the Secrets Manager call shape.
+        # will simply fail on first call with a clear auth error.
         log("WARN", f"resolve_linear_api_token failed: {type(e).__name__}: {e}")
         return ""
 

agent/src/linear_reactions.py

@@ -129,8 +129,10 @@ def _graphql(query: str, variables: dict[str, Any]) -> dict[str, Any] | None:
     global _consecutive_auth_failures, _auth_circuit_open
 
     with _auth_state_lock:
-        if _auth_circuit_open:
-            return None
+        circuit_open = _auth_circuit_open
+    if circuit_open:
+        log("DEBUG", "linear_reactions: auth circuit still open; short-circuiting call")
+        return None
 
     token = os.environ.get("LINEAR_API_TOKEN", "")
     if not token:

agent/tests/test_config.py

@@ -1,7 +1,7 @@
 """Unit tests for config.py — build_config and constants."""
 
 import sys
-from unittest.mock import patch
+from unittest.mock import MagicMock, patch
 
 import pytest
 
@@ -120,3 +120,39 @@ def test_import_error_degrades_gracefully(self, monkeypatch):
         assert mock_log.call_count == 1
         assert mock_log.call_args[0][0] == "WARN"
         assert "boto3 unavailable" in mock_log.call_args[0][1]
+
+    def test_access_denied_logged_at_error(self, monkeypatch):
+        """Persistent IAM misconfig should page someone — escalate from WARN
+        to ERROR so alerts fire."""
+        monkeypatch.delenv("LINEAR_API_TOKEN", raising=False)
+        monkeypatch.setenv("LINEAR_API_TOKEN_SECRET_ARN", "arn:aws:sm:::secret/linear")
+
+        from botocore.exceptions import ClientError
+
+        err = ClientError(
+            {"Error": {"Code": "AccessDeniedException", "Message": "no access"}},
+            "GetSecretValue",
+        )
+        fake_client = MagicMock()
+        fake_client.get_secret_value.side_effect = err
+        with patch("boto3.client", return_value=fake_client), patch("config.log") as mock_log:
+            assert resolve_linear_api_token() == ""
+        assert mock_log.call_count == 1
+        assert mock_log.call_args[0][0] == "ERROR"
+
+    def test_other_client_error_logged_at_warn(self, monkeypatch):
+        monkeypatch.delenv("LINEAR_API_TOKEN", raising=False)
+        monkeypatch.setenv("LINEAR_API_TOKEN_SECRET_ARN", "arn:aws:sm:::secret/linear")
+
+        from botocore.exceptions import ClientError
+
+        err = ClientError(
+            {"Error": {"Code": "ResourceNotFoundException", "Message": "missing"}},
+            "GetSecretValue",
+        )
+        fake_client = MagicMock()
+        fake_client.get_secret_value.side_effect = err
+        with patch("boto3.client", return_value=fake_client), patch("config.log") as mock_log:
+            assert resolve_linear_api_token() == ""
+        assert mock_log.call_count == 1
+        assert mock_log.call_args[0][0] == "WARN"

cdk/src/handlers/linear-webhook-processor.ts

@@ -273,7 +273,7 @@ function shouldTrigger(payload: LinearIssueEvent, labelFilter: string): boolean
  *
  * Falls back to a generic message if the body fails to parse — best-effort, never throws.
  */
-function buildCreateTaskFailureMessage(statusCode: number | undefined, rawBody: string | undefined): string {
+function buildCreateTaskFailureMessage(statusCode: number, rawBody: string): string {
   let detail = '';
   try {
     if (rawBody) {
@@ -296,9 +296,9 @@ function buildCreateTaskFailureMessage(statusCode: number | undefined, rawBody:
     return `❌ ABCA is temporarily unavailable (status ${statusCode}). Please re-apply the trigger label in a few minutes.`;
   }
   if (detail) {
-    return `❌ ABCA couldn't create this task (status ${statusCode ?? 'unknown'}): ${detail}`;
+    return `❌ ABCA couldn't create this task (status ${statusCode}): ${detail}`;
   }
-  return `❌ ABCA couldn't create this task (status ${statusCode ?? 'unknown'}). Check the ABCA admin logs for details.`;
+  return `❌ ABCA couldn't create this task (status ${statusCode}). Check the ABCA admin logs for details.`;
 }
 
 function buildTaskDescription(issue: LinearIssueEvent['data']): string {