feat(linear): comment + react on pre-container task-creation failures

Closes the silent-drop UX gap that appeared whenever a Linear-triggered task
was rejected before the agent container started — the user would apply the
trigger label, see nothing happen, and have no way to know why. Reactions
and progress comments are emitted by the agent container; nothing fired
until that point, so all upstream rejections were invisible on the Linear
side.

This commit wires a best-effort GraphQL feedback path covering all six
distinct rejection points:

In `linear-webhook-processor.ts` (pre-`createTaskCore`):
  1. Issue has no projectId → "isn't in a project" comment
  2. Project not onboarded / removed → "isn't onboarded; admin can run
     `bgagent linear onboard-project`" comment
  3. Webhook missing organization or actor → diagnostic comment
  4. Linear actor has no linked platform user → "v1 only the API-token
     owner can submit; multi-user OAuth is on the v3 roadmap" comment
  5. `createTaskCore` returns non-201 → message branched on status:
     guardrail/validation block surfaces the user-facing error string;
     503 prompts the user to re-apply the label; other 4xx/5xx falls
     through to a generic message.

In `orchestrate-task.ts` (post-201, in admission control):
  6. User concurrency cap rejection → "concurrency limit; wait for one
     to finish, then re-apply the label" comment.

All five processor paths and the orchestrator path call a shared helper,
`reportIssueFailure(secretArn, issueId, message)`, that runs the comment
and ❌ reaction in parallel via `Promise.allSettled`. The helper:

  - Reuses the existing 5-minute `getLinearSecret` cache from
    `linear-verify.ts` (no extra Secrets Manager hits on warm Lambdas).
  - Swallows network, auth, and GraphQL errors with WARN logs — Linear
    feedback is advisory and must never gate the rejection path.
  - Posts to Linear's hosted GraphQL endpoint; mutation shapes match
    `agent/src/linear_reactions.py` (`commentCreate`, `reactionCreate`).

CDK plumbing:

  - `linear-integration.ts` — wires `LINEAR_API_TOKEN_SECRET_ARN` into
    the webhook processor and grants read on the existing
    `LinearIntegration.apiTokenSecret`.
  - `agent.ts` — grants the same secret to `orchestrator.fn` and
    populates the env var. The grant is unconditional; the orchestrator
    only invokes the helper when `task.channel_source === 'linear'`.

The non-Linear case is a hard no-op at the call site — `notifyLinear-
OnConcurrencyCap` early-returns on `channel_source !== 'linear'`, and the
processor only handles Linear payloads. Slack/API/webhook tasks are
unaffected.

Tests (28 new; 1240 → 1268, all green):

  - `cdk/test/handlers/shared/linear-feedback.test.ts` (13 tests):
    mutation shape, auth header, error swallowing in 4 distinct failure
    modes (secret-resolution null, non-2xx, GraphQL `errors`, network
    throw), `Promise.allSettled` partial-success semantics.
  - `cdk/test/handlers/linear-webhook-processor.test.ts` (10 new tests
    in a `user-visible feedback` describe block): one assertion per
    rejection path + happy-path-doesn't-fire + filter-rejection-doesn't-
    fire (the latter is intentional UX — the processor sees many events
    that aren't tasks, and dropping a comment on each would be noisy).
  - `cdk/test/handlers/orchestrate-task-feedback.test.ts` (5 tests):
    new file; covers `notifyLinearOnConcurrencyCap` directly with
    `withDurableExecution` mocked. Asserts the linear path fires; the
    api/webhook/slack paths no-op; missing metadata, missing env, and
    undefined `channel_metadata` all no-op cleanly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: bgagent

cdk/src/constructs/linear-integration.ts

@@ -181,11 +181,13 @@ export class LinearIntegration extends Construct {
         ...createTaskEnv,
         LINEAR_PROJECT_MAPPING_TABLE_NAME: this.projectMappingTable.tableName,
         LINEAR_USER_MAPPING_TABLE_NAME: this.userMappingTable.tableName,
+        LINEAR_API_TOKEN_SECRET_ARN: this.apiTokenSecret.secretArn,
       },
       bundling: commonBundling,
     });
     this.projectMappingTable.grantReadData(webhookProcessorFn);
     this.userMappingTable.grantReadData(webhookProcessorFn);
+    this.apiTokenSecret.grantRead(webhookProcessorFn);
     props.taskTable.grantReadWriteData(webhookProcessorFn);
     props.taskEventsTable.grantReadWriteData(webhookProcessorFn);
     if (props.repoTable) {

cdk/src/handlers/linear-webhook-processor.ts

@@ -21,12 +21,14 @@ import * as crypto from 'crypto';
 import { DynamoDBClient } from '@aws-sdk/client-dynamodb';
 import { DynamoDBDocumentClient, GetCommand } from '@aws-sdk/lib-dynamodb';
 import { createTaskCore } from './shared/create-task-core';
+import { reportIssueFailure } from './shared/linear-feedback';
 import { logger } from './shared/logger';
 
 const ddb = DynamoDBDocumentClient.from(new DynamoDBClient({}));
 
 const PROJECT_MAPPING_TABLE = process.env.LINEAR_PROJECT_MAPPING_TABLE_NAME!;
 const USER_MAPPING_TABLE = process.env.LINEAR_USER_MAPPING_TABLE_NAME!;
+const API_TOKEN_SECRET_ARN = process.env.LINEAR_API_TOKEN_SECRET_ARN!;
 const DEFAULT_LABEL_FILTER = 'bgagent';
 
 /** Shape of Linear `Issue` webhook payloads we care about. Undocumented fields are tolerated. */
@@ -100,6 +102,11 @@ export async function handler(event: ProcessorEvent): Promise<void> {
     logger.info('Linear Issue has no projectId — skipping (cannot route to a repo)', {
       issue_id: issue.id,
     });
+    await reportIssueFailure(
+      API_TOKEN_SECRET_ARN,
+      issue.id,
+      "❌ This Linear issue isn't in a project — ABCA needs a Linear project to route the task to a repo. Move the issue into a project and re-apply the trigger label.",
+    );
     return;
   }
 
@@ -113,6 +120,11 @@ export async function handler(event: ProcessorEvent): Promise<void> {
       linear_project_id: projectId,
       issue_id: issue.id,
     });
+    await reportIssueFailure(
+      API_TOKEN_SECRET_ARN,
+      issue.id,
+      "❌ This Linear project isn't onboarded to ABCA. An admin can onboard it with `bgagent linear onboard-project <project-uuid> --repo <owner>/<repo> --label <trigger>`.",
+    );
     return;
   }
   const repo = mapping.Item.repo as string;
@@ -145,6 +157,11 @@ export async function handler(event: ProcessorEvent): Promise<void> {
       organization_id: workspaceId,
       actor_id: actorId,
     });
+    await reportIssueFailure(
+      API_TOKEN_SECRET_ARN,
+      issue.id,
+      "❌ Linear webhook is missing the organization or actor field — ABCA can't attribute this task to a user. This is unusual; please report it to your ABCA admin.",
+    );
     return;
   }
 
@@ -155,6 +172,11 @@ export async function handler(event: ProcessorEvent): Promise<void> {
       linear_user_id: actorId,
       issue_id: issue.id,
     });
+    await reportIssueFailure(
+      API_TOKEN_SECRET_ARN,
+      issue.id,
+      "❌ This Linear user isn't linked to a platform user. In v1 only the API-token owner can submit tasks from Linear; multi-user OAuth support is on the v3 roadmap.",
+    );
     return;
   }
 
@@ -192,6 +214,11 @@ export async function handler(event: ProcessorEvent): Promise<void> {
       body: result.body,
       issue_id: issue.id,
     });
+    await reportIssueFailure(
+      API_TOKEN_SECRET_ARN,
+      issue.id,
+      buildCreateTaskFailureMessage(result.statusCode, result.body),
+    );
     return;
   }
 
@@ -236,6 +263,44 @@ function shouldTrigger(payload: LinearIssueEvent, labelFilter: string): boolean
   return false;
 }
 
+/**
+ * Translate a `createTaskCore` non-201 response into a user-facing Linear comment.
+ *
+ * The CDK error envelope is `{ error: { code, message, request_id } }`. We surface
+ * the `message` because it's already user-readable (e.g. "Task description was
+ * blocked by content policy") and add a per-status prefix so the user can tell
+ * a guardrail block from a 503 from a validation error.
+ *
+ * Falls back to a generic message if the body fails to parse — best-effort, never throws.
+ */
+function buildCreateTaskFailureMessage(statusCode: number | undefined, rawBody: string | undefined): string {
+  let detail = '';
+  try {
+    if (rawBody) {
+      const parsed = JSON.parse(rawBody) as { error?: { code?: string; message?: string } };
+      const message = parsed.error?.message;
+      if (typeof message === 'string' && message.trim()) {
+        detail = message.trim();
+      }
+    }
+  } catch {
+    // fall through to the generic message
+  }
+
+  if (statusCode === 400 && detail) {
+    // Guardrail blocks and validation errors land here; the message is already
+    // user-readable so just prefix it.
+    return `❌ ABCA couldn't accept this task: ${detail}`;
+  }
+  if (statusCode === 503) {
+    return `❌ ABCA is temporarily unavailable (status ${statusCode}). Please re-apply the trigger label in a few minutes.`;
+  }
+  if (detail) {
+    return `❌ ABCA couldn't create this task (status ${statusCode ?? 'unknown'}): ${detail}`;
+  }
+  return `❌ ABCA couldn't create this task (status ${statusCode ?? 'unknown'}). Check the ABCA admin logs for details.`;
+}
+
 function buildTaskDescription(issue: LinearIssueEvent['data']): string {
   const parts: string[] = [];
   if (issue.identifier && issue.title) {

cdk/src/handlers/orchestrate-task.ts

@@ -20,6 +20,7 @@
 import { withDurableExecution, type DurableExecutionHandler } from '@aws/durable-execution-sdk-js';
 import { TaskStatus, TERMINAL_STATUSES } from '../constructs/task-status';
 import { resolveComputeStrategy } from './shared/compute-strategy';
+import { reportIssueFailure } from './shared/linear-feedback';
 import { logger } from './shared/logger';
 import {
   admissionControl,
@@ -34,6 +35,7 @@ import {
   type PollState,
 } from './shared/orchestrator';
 import { runPreflightChecks } from './shared/preflight';
+import type { TaskRecord } from './shared/types';
 
 interface OrchestrateTaskEvent {
   readonly task_id: string;
@@ -73,6 +75,7 @@ const durableHandler: DurableExecutionHandler<OrchestrateTaskEvent, void> = asyn
     if (!result) {
       await failTask(taskId, current.status, 'User concurrency limit reached', task.user_id, false);
       await emitTaskEvent(taskId, 'admission_rejected', { reason: 'concurrency_limit' });
+      await notifyLinearOnConcurrencyCap(task);
     }
     return result;
   });
@@ -265,3 +268,39 @@ const durableHandler: DurableExecutionHandler<OrchestrateTaskEvent, void> = asyn
 };
 
 export const handler = withDurableExecution(durableHandler);
+
+/**
+ * Post a Linear comment + ❌ reaction when admission control rejects a task
+ * for the user concurrency cap. Linear-only; silently no-ops for other
+ * channels.
+ *
+ * The processor side (`linear-webhook-processor.ts`) already covers
+ * pre-`createTaskCore` rejections (unmapped project, unlinked actor, guardrail);
+ * this hook covers the post-201 case where the orchestrator rejects on
+ * admission. Without this, the only Linear-side signal would be the 👀
+ * reaction the agent never gets to add — looks like the integration silently
+ * dropped the request.
+ *
+ * Best-effort: errors inside `reportIssueFailure` are swallowed at the helper
+ * layer; we don't surface them here because Linear feedback must never block
+ * the rejection path.
+ *
+ * Exported for unit testing — the durable handler invokes it inline.
+ */
+export async function notifyLinearOnConcurrencyCap(task: TaskRecord): Promise<void> {
+  if (task.channel_source !== 'linear') return;
+  const issueId = task.channel_metadata?.linear_issue_id;
+  if (!issueId) return;
+  const secretArn = process.env.LINEAR_API_TOKEN_SECRET_ARN;
+  if (!secretArn) {
+    logger.warn('Skipping Linear concurrency-cap feedback: LINEAR_API_TOKEN_SECRET_ARN not set', {
+      task_id: task.task_id,
+    });
+    return;
+  }
+  await reportIssueFailure(
+    secretArn,
+    issueId,
+    '❌ ABCA hit your concurrency limit — too many tasks running for your user. Wait for one to finish, then re-apply the trigger label.',
+  );
+}

cdk/src/handlers/shared/linear-feedback.ts

@@ -0,0 +1,147 @@
+/**
+ *  MIT No Attribution
+ *
+ *  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ *  Permission is hereby granted, free of charge, to any person obtaining a copy of
+ *  the Software without restriction, including without limitation the rights to
+ *  use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+ *  the Software, and to permit persons to whom the Software is furnished to do so.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ *  SOFTWARE.
+ */
+
+import { getLinearSecret } from './linear-verify';
+import { logger } from './logger';
+
+/**
+ * Lambda-side helper for posting comments and reactions onto Linear issues
+ * via direct GraphQL. Used by the webhook processor to give users feedback
+ * on pre-container failures (guardrail block, concurrency cap, unmapped
+ * project, etc.) — paths where the agent never starts and the agent-side
+ * Linear MCP / `linear_reactions.py` cannot run.
+ *
+ * All calls are best-effort. Errors are logged at WARN and swallowed —
+ * Linear feedback is advisory and must never gate task-rejection logic.
+ */
+
+const LINEAR_GRAPHQL_URL = 'https://api.linear.app/graphql';
+
+const REQUEST_TIMEOUT_MS = 5000;
+
+/** Reaction emoji short-code for the failure marker. Matches `EMOJI_FAILURE` in `agent/src/linear_reactions.py`. */
+const EMOJI_FAILURE = 'x';
+
+const COMMENT_CREATE_MUTATION = `
+mutation CreateComment($issueId: String!, $body: String!) {
+  commentCreate(input: { issueId: $issueId, body: $body }) {
+    success
+  }
+}
+`.trim();
+
+const REACTION_CREATE_MUTATION = `
+mutation ReactIssue($issueId: String!, $emoji: String!) {
+  reactionCreate(input: { issueId: $issueId, emoji: $emoji }) {
+    success
+  }
+}
+`.trim();
+
+async function graphqlRequest(
+  apiToken: string,
+  query: string,
+  variables: Record<string, unknown>,
+): Promise<boolean> {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+  try {
+    const resp = await fetch(LINEAR_GRAPHQL_URL, {
+      method: 'POST',
+      headers: {
+        'Authorization': apiToken,
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({ query, variables }),
+      signal: controller.signal,
+    });
+    if (!resp.ok) {
+      logger.warn('Linear feedback GraphQL non-2xx', { status: resp.status });
+      return false;
+    }
+    const body = (await resp.json()) as { errors?: unknown };
+    if (body.errors) {
+      logger.warn('Linear feedback GraphQL errors', { errors: body.errors });
+      return false;
+    }
+    return true;
+  } catch (err) {
+    logger.warn('Linear feedback request failed', {
+      error: err instanceof Error ? err.message : String(err),
+    });
+    return false;
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
+async function resolveToken(secretArn: string): Promise<string | null> {
+  try {
+    return await getLinearSecret(secretArn);
+  } catch (err) {
+    logger.warn('Linear feedback could not resolve API token', {
+      error: err instanceof Error ? err.message : String(err),
+    });
+    return null;
+  }
+}
+
+/**
+ * Post a comment onto a Linear issue. Returns true on success, false on any failure
+ * (network, auth, GraphQL errors). Never throws — callers proceed regardless.
+ */
+export async function postIssueComment(
+  apiTokenSecretArn: string,
+  issueId: string,
+  body: string,
+): Promise<boolean> {
+  const token = await resolveToken(apiTokenSecretArn);
+  if (!token) return false;
+  return graphqlRequest(token, COMMENT_CREATE_MUTATION, { issueId, body });
+}
+
+/**
+ * Add an emoji reaction onto a Linear issue. Defaults to ❌ — the failure marker
+ * the agent uses on the success/failure side. Returns true on success.
+ */
+export async function addIssueReaction(
+  apiTokenSecretArn: string,
+  issueId: string,
+  emoji: string = EMOJI_FAILURE,
+): Promise<boolean> {
+  const token = await resolveToken(apiTokenSecretArn);
+  if (!token) return false;
+  return graphqlRequest(token, REACTION_CREATE_MUTATION, { issueId, emoji });
+}
+
+/**
+ * Convenience: post a feedback comment **and** drop a ❌ reaction in one call.
+ * Both calls run in parallel; both are best-effort. Returns void — callers
+ * never branch on the result.
+ */
+export async function reportIssueFailure(
+  apiTokenSecretArn: string,
+  issueId: string,
+  message: string,
+): Promise<void> {
+  await Promise.allSettled([
+    postIssueComment(apiTokenSecretArn, issueId, message),
+    addIssueReaction(apiTokenSecretArn, issueId, EMOJI_FAILURE),
+  ]);
+}

cdk/src/stacks/agent.ts

@@ -604,6 +604,18 @@ export class AgentStack extends Stack {
       linearIntegration.apiTokenSecret.secretArn,
     );
 
+    // Pipe the Linear API token secret into the orchestrator Lambda so the
+    // concurrency-cap rejection path can post a Linear comment + ❌ instead
+    // of silently dropping the task. The orchestrator only uses the secret
+    // when `task.channel_source === 'linear'`, but the IAM grant is
+    // unconditional — the secret is created lazily via Secrets Manager and
+    // costs nothing if unused.
+    linearIntegration.apiTokenSecret.grantRead(orchestrator.fn);
+    orchestrator.fn.addEnvironment(
+      'LINEAR_API_TOKEN_SECRET_ARN',
+      linearIntegration.apiTokenSecret.secretArn,
+    );
+
     new CfnOutput(this, 'LinearWebhookSecretArn', {
       value: linearIntegration.webhookSecret.secretArn,
       description: 'Secrets Manager ARN for the Linear webhook signing secret — populate via `bgagent linear setup`',