fix(2.0b-O2): batch 3 — schema validation, CallbackResult union, parity contract

Three remaining substantive review items from PR aws-samples#160:

- Validate all 11 fields in getOauthSecret (review non-blocking aws-samples#7).
  Was checking only access_token / refresh_token / expires_at; missing
  client_id or client_secret only surfaced 24h later when the refresh
  call needed them and found undefined. Extracted the required-field
  list into a const next to the StoredOauthToken interface and check
  the full set at deserialization. Bad secrets fail fast at fetch
  time with a structured log line naming the missing fields.

- CallbackResult discriminated union (review non-blocking aws-samples#6). Was
  `{ sessionId: string|null, code: string|null, state: string|null }`
  which let callers construct unreachable shapes. Split into
  `{ kind: 'agentcore', sessionId } | { kind: 'direct-oauth', code, state }`.
  Updated the resolver site (`oauth-callback-server.ts`), the
  consumer (`bgagent linear setup`), and the test file to use
  exhaustive type-narrowing. The setup wizard now errors clearly if
  it gets the agentcore shape (parked path) instead of silently
  passing nulls down.

- Cross-language schema-parity contract test (review non-blocking #3).
  CLI's StoredLinearOauthToken and Lambda's StoredOauthToken define
  the same JSON-in-Secrets-Manager schema independently; drift
  between the two would be a silent bug (CLI writes one field name,
  Lambda reads another, refresh works, every Lambda invocation logs
  a missing-field error). New test in
  `cdk/test/contracts/stored-oauth-token-parity.test.ts` regex-parses
  both interface definitions out of source and asserts the field set
  is equal. Also asserts the new
  `STORED_OAUTH_TOKEN_REQUIRED_FIELDS` const matches the interface,
  so future field additions can't drift between the validator and
  the type.

CLI tests 286/286 pass. CDK resolver + contract 13/13 pass.

Author: isadeks

cdk/src/handlers/shared/linear-oauth-resolver.ts

@@ -218,6 +218,32 @@ async function getRegistryRow(
   return row;
 }
 
+/**
+ * Required fields on the StoredOauthToken JSON in Secrets Manager.
+ * Validated as a set at deserialization so a missing field fails fast
+ * here, not 24 hours later inside `tryRefreshOnce` when the refresh
+ * call needs `client_id` / `client_secret` and finds them undefined.
+ *
+ * Keep this list in sync with the `StoredOauthToken` interface above
+ * AND the CLI-side `StoredLinearOauthToken` shape (see
+ * `cli/src/linear-oauth.ts`). The contract test in
+ * `cdk/test/contracts/stored-oauth-token-parity.test.ts` enforces
+ * the cross-language match.
+ */
+const STORED_OAUTH_TOKEN_REQUIRED_FIELDS: ReadonlyArray<keyof StoredOauthToken> = [
+  'access_token',
+  'refresh_token',
+  'expires_at',
+  'scope',
+  'client_id',
+  'client_secret',
+  'workspace_id',
+  'workspace_slug',
+  'installed_at',
+  'updated_at',
+  'installed_by_platform_user_id',
+];
+
 async function getOauthSecret(
   sm: SecretsManagerClient,
   secretArn: string,
@@ -226,7 +252,16 @@ async function getOauthSecret(
     const res = await sm.send(new GetSecretValueCommand({ SecretId: secretArn }));
     if (!res.SecretString) return null;
     const parsed = JSON.parse(res.SecretString) as StoredOauthToken;
-    if (!parsed.access_token || !parsed.refresh_token || !parsed.expires_at) return null;
+    const missing = STORED_OAUTH_TOKEN_REQUIRED_FIELDS.filter(
+      (f) => typeof parsed[f] !== 'string' || (parsed[f] as string).length === 0,
+    );
+    if (missing.length > 0) {
+      logger.error('Linear OAuth secret JSON is missing required fields', {
+        secret_arn: secretArn,
+        missing_fields: missing,
+      });
+      return null;
+    }
     return parsed;
   } catch (err) {
     logger.error('Failed to fetch Linear OAuth secret', {

cdk/test/contracts/stored-oauth-token-parity.test.ts

@@ -0,0 +1,91 @@
+/**
+ *  MIT No Attribution
+ *
+ *  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ *  Permission is hereby granted, free of charge, to any person obtaining a copy of
+ *  the Software without restriction, including without limitation the rights to
+ *  use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+ *  the Software, and to permit persons to whom the Software is furnished to do so.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ *  SOFTWARE.
+ */
+
+import * as fs from 'fs';
+import * as path from 'path';
+
+/**
+ * Cross-language contract: the JSON schema written into Secrets Manager
+ * by the CLI's `bgagent linear setup` MUST match what the Lambda-side
+ * resolver expects to read. Two TypeScript interfaces define the shape
+ * independently — `StoredLinearOauthToken` (CLI) and `StoredOauthToken`
+ * (Lambda). Without a contract test, drift between the two is a silent
+ * runtime bug: CLI writes `installer_user_id`, Lambda reads
+ * `installed_by_platform_user_id`, refresh works, every Lambda
+ * invocation logs a missing-field error.
+ *
+ * This test parses both interface definitions out of source and
+ * asserts the field set is equal. It deliberately avoids importing
+ * the CLI (cross-package import would couple build orders); a
+ * lightweight regex-extract is enough to keep the schemas honest.
+ */
+
+const REPO_ROOT = path.resolve(__dirname, '..', '..', '..');
+const LAMBDA_RESOLVER = path.join(REPO_ROOT, 'cdk', 'src', 'handlers', 'shared', 'linear-oauth-resolver.ts');
+const CLI_OAUTH = path.join(REPO_ROOT, 'cli', 'src', 'linear-oauth.ts');
+
+function extractInterfaceFields(source: string, interfaceName: string): string[] {
+  const reBlock = new RegExp(`export\\s+interface\\s+${interfaceName}\\s*\\{([\\s\\S]*?)\\n\\}`);
+  const match = reBlock.exec(source);
+  if (!match) {
+    throw new Error(`Could not find interface ${interfaceName}`);
+  }
+  const body = match[1];
+  const fields: string[] = [];
+  // Match `readonly <name>:` or `<name>:` field declarations. Skip
+  // lines that are inside JSDoc comment blocks (start with `*`) or
+  // single-line comments (`//`).
+  for (const rawLine of body.split('\n')) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith('//') || line.startsWith('/*') || line.startsWith('*')) continue;
+    const fieldMatch = /^(?:readonly\s+)?([a-zA-Z_][a-zA-Z0-9_]*)\??\s*:/.exec(line);
+    if (fieldMatch) {
+      fields.push(fieldMatch[1]);
+    }
+  }
+  return fields;
+}
+
+describe('StoredOauthToken / StoredLinearOauthToken cross-language parity', () => {
+  test('Lambda and CLI define the same set of fields', () => {
+    const lambdaSource = fs.readFileSync(LAMBDA_RESOLVER, 'utf8');
+    const cliSource = fs.readFileSync(CLI_OAUTH, 'utf8');
+
+    const lambdaFields = extractInterfaceFields(lambdaSource, 'StoredOauthToken').sort();
+    const cliFields = extractInterfaceFields(cliSource, 'StoredLinearOauthToken').sort();
+
+    expect(lambdaFields).toEqual(cliFields);
+    // Sanity: at least 11 fields per the documented schema. Catches
+    // a regex parse failure that returns empty arrays.
+    expect(lambdaFields.length).toBeGreaterThanOrEqual(11);
+  });
+
+  test('Lambda STORED_OAUTH_TOKEN_REQUIRED_FIELDS const matches the interface', () => {
+    const lambdaSource = fs.readFileSync(LAMBDA_RESOLVER, 'utf8');
+    const interfaceFields = extractInterfaceFields(lambdaSource, 'StoredOauthToken').sort();
+
+    const constMatch = /STORED_OAUTH_TOKEN_REQUIRED_FIELDS:\s*ReadonlyArray<keyof StoredOauthToken>\s*=\s*\[([\s\S]*?)\];/.exec(lambdaSource);
+    expect(constMatch).not.toBeNull();
+    const constFields = (constMatch![1].match(/'([a-zA-Z_][a-zA-Z0-9_]*)'/g) ?? [])
+      .map((s) => s.replace(/'/g, ''))
+      .sort();
+
+    expect(constFields).toEqual(interfaceFields);
+  });
+});

cli/src/commands/linear.ts

@@ -409,28 +409,15 @@ export function makeLinearCommand(): Command {
         const callback = await callbackPromise;
         console.log(' ✓');
 
-        // The localhost callback server resolves with `?session_id=` from
-        // AWS's redirect, but we're not using AgentCore — for the direct
-        // flow, the callback server gives us `?code=...&state=...` from
-        // Linear directly. We need to extract differently.
-        //
-        // Reality check: our awaitOauthCallback() is hard-coded to
-        // extract `session_id`. For Option 2 we need to also capture
-        // `code` + `state` from the same redirect. The localhost server
-        // module needs adjusting; for now we use a workaround that reads
-        // the 'session_id' field which the callback server populated
-        // from whatever query param was named `session_id`. We override
-        // by re-reading the actual redirect URL inside the server.
-        //
-        // Defensive: callback.sessionId may contain the full session_id
-        // value when this code is reached against an AgentCore-style
-        // redirect. We don't reach here in O2 because Linear redirects
-        // with `code` + `state`, not `session_id`. The callback module
-        // is updated separately to expose both shapes.
-        if (!callback.code || !callback.state) {
+        // Phase 2.0b Option 2 expects Linear to redirect with `code` +
+        // `state`. If we got the AgentCore session_id shape, the user
+        // likely configured an `actor=app` flow against an AgentCore
+        // Identity provider — that path is parked, error out clearly.
+        if (callback.kind !== 'direct-oauth') {
           throw new CliError(
-            'Localhost callback did not surface code/state. This indicates the callback '
-            + 'server module is in legacy AgentCore-only mode; rebuild the CLI.',
+            'Localhost callback returned an AgentCore session_id, not a direct OAuth code. '
+            + 'Phase 2.0b Option 2 only supports the direct redirect — verify Linear\'s '
+            + 'redirect URI is set to http://localhost:8080/oauth/callback and re-run.',
           );
         }
         if (callback.state !== state) {

cli/src/oauth-callback-server.ts

@@ -49,26 +49,34 @@ const FAILURE_HTML = `<!doctype html>
 <style>body{font-family:system-ui,sans-serif;max-width:480px;margin:8em auto;text-align:center;color:#222}h1{color:#c00}p{color:#666}</style></head>
 <body><h1>✗ Authorization not captured</h1><p>The callback URL did not include a session_id. Re-run <code>bgagent linear setup</code> and try again.</p></body></html>`;
 
-export interface CallbackResult {
-  /**
-   * Value of the `session_id` query param if present (AgentCore-style
-   * redirect). Null in direct-OAuth flows where Linear redirects with
-   * `code` + `state` instead.
-   */
-  readonly sessionId: string | null;
-  /**
-   * OAuth `code` from a direct-Linear redirect (Phase 2.0b Option 2).
-   * Null in AgentCore-style flows where AWS performs the code-to-token
-   * exchange itself.
-   */
-  readonly code: string | null;
-  /**
-   * OAuth `state` from a direct-Linear redirect — caller MUST verify
-   * against the value passed into `buildAuthorizationUrl` to prevent
-   * CSRF. Null in AgentCore-style flows.
-   */
-  readonly state: string | null;
-}
+/**
+ * Discriminated union over the two redirect shapes Linear may send to
+ * the localhost callback. Was previously an all-nullable struct
+ * `{ sessionId: string | null, code: string | null, state: string | null }`
+ * which let callers (and tests) construct nonsense values like
+ * "all three null" or "sessionId AND code+state set" — neither is
+ * actually reachable in production. Splitting into two cases makes
+ * downstream pattern-matching exhaustive and the "impossible state"
+ * unrepresentable.
+ *
+ * - `agentcore`: legacy AgentCore Identity USER_FEDERATION redirect.
+ *   AWS handles the code-for-token exchange itself; we receive only
+ *   the session_id we use to poll for the resulting token. Parked
+ *   path; kept for the eventual 2.0c resume.
+ * - `direct-oauth`: Phase 2.0b Option 2. Linear redirects directly to
+ *   localhost with `code` + `state`. Caller MUST verify `state` against
+ *   the value passed into `buildAuthorizationUrl` to prevent CSRF.
+ */
+export type CallbackResult =
+  | {
+      readonly kind: 'agentcore';
+      readonly sessionId: string;
+    }
+  | {
+      readonly kind: 'direct-oauth';
+      readonly code: string;
+      readonly state: string;
+    };
 
 export interface CallbackServerOptions {
   /**
@@ -179,8 +187,15 @@ export async function awaitOauthCallback(
         }
         res.statusCode = 200;
         res.setHeader('content-type', 'text/html; charset=utf-8');
+        // Build the discriminated union value here so callers don't
+        // see the all-nullable shape. Direct-OAuth path takes
+        // precedence: if Linear sent both session_id AND code+state
+        // (shouldn't happen, but defensively…) we treat it as direct.
+        const result: CallbackResult = code && state
+          ? { kind: 'direct-oauth', code, state }
+          : { kind: 'agentcore', sessionId: sessionId! };
         res.once('finish', () => {
-          settle(() => resolve({ sessionId, code, state }));
+          settle(() => resolve(result));
         });
         res.end(SUCCESS_HTML);
       },

cli/test/oauth-callback-server.test.ts

@@ -50,7 +50,7 @@ describe('awaitOauthCallback', () => {
   // Jest's default test isolation per file. If a developer has another
   // bgagent setup running locally, expect EADDRINUSE.
 
-  test('captures session_id from the first valid request and resolves', async () => {
+  test('captures session_id from the first valid request and resolves with kind=agentcore', async () => {
     // Fire the server + the request in parallel; the server resolves once it
     // sees the request, then closes.
     const expectedSessionId = 'urn:ietf:params:oauth:request_uri:test-uuid';
@@ -60,12 +60,15 @@ describe('awaitOauthCallback', () => {
     const requestPromise = localGet(`/oauth/callback?session_id=${encodeURIComponent(expectedSessionId)}`);
 
     const [callbackResult, response] = await Promise.all([callbackPromise, requestPromise]);
-    expect(callbackResult.sessionId).toBe(expectedSessionId);
+    expect(callbackResult.kind).toBe('agentcore');
+    if (callbackResult.kind === 'agentcore') {
+      expect(callbackResult.sessionId).toBe(expectedSessionId);
+    }
     expect(response.status).toBe(200);
     expect(response.body).toContain('Linear authorized');
   });
 
-  test('captures code+state from a direct Linear OAuth redirect', async () => {
+  test('captures code+state from a direct Linear OAuth redirect with kind=direct-oauth', async () => {
     // Phase 2.0b Option 2 path: Linear redirects with `code` + `state`
     // (no AgentCore proxy in the middle).
     const callbackPromise = awaitOauthCallback({ timeoutMs: 5_000 });
@@ -75,9 +78,11 @@ describe('awaitOauthCallback', () => {
     );
 
     const [callbackResult, response] = await Promise.all([callbackPromise, requestPromise]);
-    expect(callbackResult.code).toBe('lin_authcode_abc');
-    expect(callbackResult.state).toBe('stateuuid');
-    expect(callbackResult.sessionId).toBeNull();
+    expect(callbackResult.kind).toBe('direct-oauth');
+    if (callbackResult.kind === 'direct-oauth') {
+      expect(callbackResult.code).toBe('lin_authcode_abc');
+      expect(callbackResult.state).toBe('stateuuid');
+    }
     expect(response.status).toBe(200);
   });