fix(agent): ruff lint + format for OAuth refresh path

Five lint errors surfaced when CI ran `ruff check --fix` against the
Wave C agent changes:

- F401 unused `timezone` import in `config.py` (replaced with
  `timedelta`, which is what's actually needed)
- RUF034 useless if-else in the `expires_at` ternary — both branches
  returned identical strings before the recompute below; flatten into
  a single straightforward `if expires_in: ... else: ...` block
- E501 three line-length violations in `config.py` and
  `test_config.py` — break the long expressions onto helper-named
  intermediates

Confirmed locally: `ruff check .` clean, `ruff format --check` clean,
`pytest tests/test_config.py` 15/15 pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: bgagent

agent/src/config.py

@@ -3,6 +3,7 @@
 import os
 import sys
 import uuid
+from datetime import UTC
 
 from models import TaskConfig, TaskType
 from shell import log
@@ -85,7 +86,7 @@ def resolve_linear_api_token(channel_metadata: dict[str, str] | None = None) ->
 
     try:
         import json
-        from datetime import datetime, timezone
+        from datetime import datetime, timedelta
 
         import boto3
         from botocore.exceptions import BotoCoreError, ClientError
@@ -104,7 +105,7 @@ def _is_expiring(expires_at_iso: str, threshold_seconds: int = 60) -> bool:
             expiry = datetime.fromisoformat(expires_at_iso.replace("Z", "+00:00"))
         except ValueError:
             return True
-        return (expiry - datetime.now(timezone.utc)).total_seconds() < threshold_seconds
+        return (expiry - datetime.now(UTC)).total_seconds() < threshold_seconds
 
     def _refresh(current: dict) -> dict | None:
         try:
@@ -113,12 +114,14 @@ def _refresh(current: dict) -> dict | None:
         except ImportError:
             return None
 
-        body = urllib.parse.urlencode({
-            "grant_type": "refresh_token",
-            "refresh_token": current["refresh_token"],
-            "client_id": current["client_id"],
-            "client_secret": current["client_secret"],
-        }).encode("utf-8")
+        body = urllib.parse.urlencode(
+            {
+                "grant_type": "refresh_token",
+                "refresh_token": current["refresh_token"],
+                "client_id": current["client_id"],
+                "client_secret": current["client_secret"],
+            }
+        ).encode("utf-8")
         req = urllib.request.Request(
             "https://api.linear.app/oauth/token",
             data=body,
@@ -128,32 +131,30 @@ def _refresh(current: dict) -> dict | None:
         try:
             with urllib.request.urlopen(req, timeout=10) as resp:  # noqa: S310
                 payload = json.loads(resp.read().decode("utf-8"))
-        except Exception as e:  # noqa: BLE001
+        except Exception as e:
             log("WARN", f"resolve_linear_api_token refresh failed: {type(e).__name__}: {e}")
             return None
 
         if "access_token" not in payload:
             return None
 
-        now = datetime.now(timezone.utc)
+        now = datetime.now(UTC)
+        # Linear's `expires_in` is documented and reliably sent; if it's
+        # missing we assume the access token is already valid for as long
+        # as the refresh-token call took to round-trip — set expiry to now.
+        if "expires_in" in payload:
+            future = now + timedelta(seconds=int(payload["expires_in"]))
+            expires_at_iso = future.replace(microsecond=0).isoformat().replace("+00:00", "Z")
+        else:
+            expires_at_iso = now.replace(microsecond=0).isoformat().replace("+00:00", "Z")
         next_token = {
             **current,
             "access_token": payload["access_token"],
             "refresh_token": payload.get("refresh_token", current["refresh_token"]),
-            "expires_at": (
-                now.replace(microsecond=0).isoformat().replace("+00:00", "Z")
-                if "expires_in" not in payload
-                else (now.replace(microsecond=0)).isoformat().replace("+00:00", "Z")
-                # below replaces the simple form above with the real computation
-            ),
+            "expires_at": expires_at_iso,
             "scope": payload.get("scope", current["scope"]),
             "updated_at": now.isoformat().replace("+00:00", "Z"),
         }
-        # Recompute expires_at properly.
-        if "expires_in" in payload:
-            from datetime import timedelta
-            future = now + timedelta(seconds=int(payload["expires_in"]))
-            next_token["expires_at"] = future.replace(microsecond=0).isoformat().replace("+00:00", "Z")
 
         try:
             sm.put_secret_value(SecretId=secret_arn, SecretString=json.dumps(next_token))
@@ -168,7 +169,8 @@ def _refresh(current: dict) -> dict | None:
         code = ""
         if hasattr(e, "response"):
             code = getattr(e, "response", {}).get("Error", {}).get("Code", "") or ""
-        severity = "ERROR" if code in ("AccessDeniedException", "ResourceNotFoundException") else "WARN"
+        is_hard_failure = code in ("AccessDeniedException", "ResourceNotFoundException")
+        severity = "ERROR" if is_hard_failure else "WARN"
         log(severity, f"resolve_linear_api_token failed: {type(e).__name__}: {e}")
         return ""
 

agent/tests/test_config.py

@@ -1,6 +1,6 @@
 """Unit tests for config.py — build_config and constants."""
 
-import sys
+from datetime import UTC
 from unittest.mock import MagicMock, patch
 
 import pytest
@@ -125,11 +125,11 @@ def test_returns_empty_when_region_missing(self, monkeypatch):
 
     def test_resolves_from_secrets_manager_and_caches_in_env(self, monkeypatch):
         """Happy path: channel_metadata carries the ARN, secret has access_token + future expiry."""
-        from datetime import datetime, timedelta, timezone
+        from datetime import datetime, timedelta
 
         monkeypatch.delenv("LINEAR_API_TOKEN", raising=False)
         monkeypatch.setenv("AWS_REGION", "us-east-1")
-        future = (datetime.now(timezone.utc) + timedelta(hours=12)).isoformat().replace("+00:00", "Z")
+        future = (datetime.now(UTC) + timedelta(hours=12)).isoformat().replace("+00:00", "Z")
         token_payload = {
             "access_token": "lin_oauth_fresh",
             "refresh_token": "lin_refresh_xyz",
@@ -148,10 +148,12 @@ def test_resolves_from_secrets_manager_and_caches_in_env(self, monkeypatch):
             "SecretString": __import__("json").dumps(token_payload),
         }
         with patch("boto3.client", return_value=mock_sm):
-            assert resolve_linear_api_token({"linear_oauth_secret_arn": "arn:test"}) == "lin_oauth_fresh"
+            resolved = resolve_linear_api_token({"linear_oauth_secret_arn": "arn:test"})
+            assert resolved == "lin_oauth_fresh"
 
         # Cached for subsequent reads.
         import os as _os
+
         assert _os.environ.get("LINEAR_API_TOKEN") == "lin_oauth_fresh"
         # Reset for other tests.
         monkeypatch.delenv("LINEAR_API_TOKEN", raising=False)
@@ -172,22 +174,29 @@ def test_returns_empty_on_secrets_manager_access_denied(self, monkeypatch):
 
     def test_falls_back_to_env_var_when_channel_metadata_omits_arn(self, monkeypatch):
         """LINEAR_OAUTH_SECRET_ARN env var is the back-compat fallback."""
-        from datetime import datetime, timedelta, timezone
+        from datetime import datetime, timedelta
 
         monkeypatch.delenv("LINEAR_API_TOKEN", raising=False)
         monkeypatch.setenv("AWS_REGION", "us-east-1")
         monkeypatch.setenv("LINEAR_OAUTH_SECRET_ARN", "arn:from-env")
-        future = (datetime.now(timezone.utc) + timedelta(hours=12)).isoformat().replace("+00:00", "Z")
+        future = (datetime.now(UTC) + timedelta(hours=12)).isoformat().replace("+00:00", "Z")
         mock_sm = MagicMock()
         mock_sm.get_secret_value.return_value = {
-            "SecretString": __import__("json").dumps({
-                "access_token": "lin_oauth_envpath",
-                "refresh_token": "rt", "expires_at": future, "scope": "read",
-                "client_id": "c", "client_secret": "s",
-                "workspace_id": "w", "workspace_slug": "s",
-                "installed_at": "x", "updated_at": "x",
-                "installed_by_platform_user_id": "u",
-            }),
+            "SecretString": __import__("json").dumps(
+                {
+                    "access_token": "lin_oauth_envpath",
+                    "refresh_token": "rt",
+                    "expires_at": future,
+                    "scope": "read",
+                    "client_id": "c",
+                    "client_secret": "s",
+                    "workspace_id": "w",
+                    "workspace_slug": "s",
+                    "installed_at": "x",
+                    "updated_at": "x",
+                    "installed_by_platform_user_id": "u",
+                }
+            ),
         }
         with patch("boto3.client", return_value=mock_sm):
             assert resolve_linear_api_token() == "lin_oauth_envpath"