fix(connectors): gh PATH resolution + Linear actions (#261)

* fix(connectors): resolve gh/git via login-shell PATH in packaged builds

Packaged Electron on macOS doesn't inherit the login-shell PATH, so
Homebrew-installed `gh` at /opt/homebrew/bin wasn't visible to spawn
and surfaced as the cryptic "spawn gh ENOENT" in Settings → Connectors.

- Add resolveExecutable() that searches PATH from getSafeEnv() (login
  shell on macOS/Linux, process env on Windows with .exe/.cmd suffixes).
- GitHub connector + connector:status use the resolved path and pass
  env: getSafeEnv() so gh's subprocesses also inherit the right PATH.
- connector:status returns distinct messages for "not installed" (with
  platform install command) vs "not signed in" (gh auth login hint).
- Generalize the resolver to git too (git-utils, file-utils), falling
  back to the bare name so nothing regresses when resolution misses.
- Banner UI preserves newlines and renders `backtick` spans as code.

* feat(linear): add commentOnIssue, createIssue, closeIssue actions

Linear was read-only (tasks + triggers). Add three basic actions so it
can be used as a downstream in workflows like GitHub.

- commentOnIssue: resolve issue UUID by identifier, commentCreate.
- createIssue: resolve team UUID by key (defaults to connection team),
  issueCreate with title + optional description.
- closeIssue: fetch issue's team, pick the lowest-position workflow
  state with type=completed ("Done" before "Merged"/"Released"),
  issueUpdate with that stateId.

Registered under capabilities and manifest.actions with
{{connectorItem.externalId}} placeholders so they slot into workflows
the same way GitHub's actions do.

* style: prettier format resolve-executable.ts

* test: update github/linear connector tests for PATH + Linear actions

- github-connector: gh path can now be absolute (resolveGhPath) so match
  by basename instead of exact "gh". Pass an explicit cursor to the
  prOpened poll test to stop it flaking once wall-clock passes the
  hardcoded created_at.
- linear-connector: capabilities now include "actions"; add coverage for
  commentOnIssue, createIssue, closeIssue happy paths and validation.

* fix(connectors): address Copilot review on PR #261

- gh env: stop stripping GH_TOKEN/GITHUB_TOKEN so token-based gh auth
  keeps working. New getGhEnv() starts from getSafeEnv() (login-shell
  PATH) and re-adds the gh auth env vars from process.env.
- resolveExecutable: only cache successful lookups so a fresh gh/git
  install is picked up without an app restart.
- runWithStdin: spawn() ignores `timeout`, so add an explicit 15s
  safety timer that SIGTERMs the child — a hung credential helper
  could previously block the poll path indefinitely.
- Linear closeIssue: query workflowStates with orderBy: position and
  fetch up to 50 so the lowest-position completed state is reliably
  the "Done" one, even on teams with many post-done states.
- connector:status: log the underlying error when gh auth status
  fails so non-auth failures aren't silently lost.

* test: cover gh-cli, resolve-executable, and linear error branches

CI's 80% patch-coverage gate was failing at 79% because the new
install-hint / error helpers and a handful of action validation
branches weren't exercised.

- gh-cli: platform-specific install hints, GhNotFoundError shape,
  getGhEnv() preserves GH_TOKEN / GITHUB_TOKEN and starts from
  safe env (login-shell PATH).
- resolve-executable: negative lookups re-probe (not cached),
  positive lookups cache, empty PATH → null, Windows .exe/.cmd
  suffix fallback, resetResolveCache by name and globally.
- linear: explicit coverage for success=false returns on each
  mutation, "team not found", "no completed state", "identifier
  not found", and required-body validation for commentOnIssue.

Author: jcanizalez

packages/server/src/connectors/gh-cli.ts

@@ -0,0 +1,40 @@
+import { resolveExecutable } from '../resolve-executable'
+import { getSafeEnv } from '../process-utils'
+
+export function resolveGhPath(): string | null {
+  return resolveExecutable('gh')
+}
+
+/**
+ * Env for invoking `gh`. Starts from `getSafeEnv()` for the login-shell PATH
+ * but re-adds `GH_TOKEN` / `GITHUB_TOKEN` from the raw process env — `gh`
+ * supports non-interactive auth via those, and `getSafeEnv()` strips them by
+ * default as a general precaution.
+ */
+export function getGhEnv(): Record<string, string> {
+  const env = getSafeEnv()
+  for (const key of ['GH_TOKEN', 'GITHUB_TOKEN']) {
+    const val = process.env[key]
+    if (val) env[key] = val
+  }
+  return env
+}
+
+export function ghInstallHint(): string {
+  switch (process.platform) {
+    case 'darwin':
+      return 'Install with Homebrew: `brew install gh`'
+    case 'win32':
+      return 'Install with winget: `winget install --id GitHub.cli` (or download from https://cli.github.com)'
+    default:
+      return 'Install from https://cli.github.com (Debian/Ubuntu: `sudo apt install gh`)'
+  }
+}
+
+export class GhNotFoundError extends Error {
+  readonly code = 'GH_NOT_FOUND'
+  constructor() {
+    super(`GitHub CLI (gh) not found on PATH. ${ghInstallHint()}`)
+    this.name = 'GhNotFoundError'
+  }
+}

packages/server/src/connectors/github.ts

@@ -9,6 +9,7 @@ import type {
   TaskStatus
 } from '@vornrun/shared/types'
 import log from '../logger'
+import { resolveGhPath, GhNotFoundError, getGhEnv } from './gh-cli'
 
 const execFileAsync = promisify(execFile)
 
@@ -26,13 +27,17 @@ function isTransientErr(err: unknown): boolean {
  * so gh's non-zero exit reasons (e.g. rate limiting, auth) surface in logs.
  */
 async function gh(args: string[], cwd?: string, input?: string): Promise<string> {
+  const ghPath = resolveGhPath()
+  if (!ghPath) throw new GhNotFoundError()
+  const env = getGhEnv()
   const run = async () => {
     if (input !== undefined) {
-      return runWithStdin(args, input, cwd)
+      return runWithStdin(ghPath, args, input, cwd, env)
     }
-    const { stdout } = await execFileAsync('gh', args, {
+    const { stdout } = await execFileAsync(ghPath, args, {
       timeout: 15_000,
       maxBuffer: 10 * 1024 * 1024,
+      env,
       ...(cwd && { cwd })
     })
     return stdout
@@ -58,19 +63,47 @@ async function gh(args: string[], cwd?: string, input?: string): Promise<string>
 
 /** Run `gh` feeding `input` on stdin. Used by `gh api --input -` paths so we
  *  never interpolate untrusted body values into shell arguments. */
-function runWithStdin(args: string[], input: string, cwd?: string): Promise<string> {
+function runWithStdin(
+  ghPath: string,
+  args: string[],
+  input: string,
+  cwd: string | undefined,
+  env: Record<string, string>
+): Promise<string> {
   return new Promise((resolve, reject) => {
-    const child = spawn('gh', args, { cwd, timeout: 15_000 })
+    // Note: child_process.spawn doesn't honor `timeout` (unlike execFile), so
+    // we enforce it with an explicit timer. Without this, a `gh` subprocess
+    // blocking on e.g. a hung credential helper would hang poll/exec forever.
+    const child = spawn(ghPath, args, { cwd, env })
     let stdout = ''
     let stderr = ''
+    let settled = false
+    const timer = setTimeout(() => {
+      if (settled) return
+      settled = true
+      try {
+        child.kill('SIGTERM')
+      } catch {
+        /* already exited */
+      }
+      reject(new Error('gh command timed out after 15s'))
+    }, 15_000)
     child.stdout.on('data', (d) => {
       stdout += d.toString()
     })
     child.stderr.on('data', (d) => {
       stderr += d.toString()
     })
-    child.on('error', reject)
+    child.on('error', (err) => {
+      if (settled) return
+      settled = true
+      clearTimeout(timer)
+      reject(err)
+    })
     child.on('close', (code) => {
+      if (settled) return
+      settled = true
+      clearTimeout(timer)
       if (code === 0) return resolve(stdout)
       reject(new Error(`gh exited with code ${code}: ${stderr.trim() || 'no stderr'}`))
     })

packages/server/src/connectors/linear.ts

@@ -78,6 +78,70 @@ const ISSUE_FIELDS = `
   team { key }
 `
 
+async function resolveIssueId(apiKey: string, identifier: string): Promise<string | null> {
+  const data = await linearGraphQL<{ issues: { nodes: Array<{ id: string }> } }>(
+    apiKey,
+    `query IssueIdByIdentifier($identifier: String!) {
+       issues(filter: { identifier: { eq: $identifier } }, first: 1) { nodes { id } }
+     }`,
+    { identifier }
+  )
+  return data.issues.nodes[0]?.id ?? null
+}
+
+async function resolveIssueWithTeam(
+  apiKey: string,
+  identifier: string
+): Promise<{ id: string; teamId: string; teamKey: string } | null> {
+  const data = await linearGraphQL<{
+    issues: { nodes: Array<{ id: string; team: { id: string; key: string } }> }
+  }>(
+    apiKey,
+    `query IssueWithTeam($identifier: String!) {
+       issues(filter: { identifier: { eq: $identifier } }, first: 1) {
+         nodes { id team { id key } }
+       }
+     }`,
+    { identifier }
+  )
+  const node = data.issues.nodes[0]
+  return node ? { id: node.id, teamId: node.team.id, teamKey: node.team.key } : null
+}
+
+async function resolveTeamId(apiKey: string, teamKey: string): Promise<string | null> {
+  const data = await linearGraphQL<{ teams: { nodes: Array<{ id: string }> } }>(
+    apiKey,
+    `query TeamIdByKey($key: String!) {
+       teams(filter: { key: { eq: $key } }, first: 1) { nodes { id } }
+     }`,
+    { key: teamKey }
+  )
+  return data.teams.nodes[0]?.id ?? null
+}
+
+async function resolveCompletedStateId(apiKey: string, teamId: string): Promise<string | null> {
+  // orderBy: position so the lowest-position completed state ("Done" in
+  // Linear's defaults) is at index 0. Fetch a generous page so we don't miss
+  // it if a team has many post-done states (Merged, Released, Shipped, etc.).
+  const data = await linearGraphQL<{
+    workflowStates: { nodes: Array<{ id: string; type: string; position: number }> }
+  }>(
+    apiKey,
+    `query CompletedStates($teamId: ID!) {
+       workflowStates(
+         filter: { team: { id: { eq: $teamId } }, type: { eq: "completed" } }
+         orderBy: position
+         first: 50
+       ) { nodes { id type position } }
+     }`,
+    { teamId }
+  )
+  const nodes = data.workflowStates.nodes
+  if (!nodes.length) return null
+  // Defensive client-side sort in case the server ever returns out of order.
+  return nodes.slice().sort((a, b) => a.position - b.position)[0].id
+}
+
 function requireAuth(filters: Record<string, unknown>): string {
   const key = filters.apiKey
   if (typeof key !== 'string' || !key.trim()) {
@@ -92,7 +156,7 @@ export const linearConnector: VornConnector = {
   id: 'linear',
   name: 'Linear',
   icon: 'linear',
-  capabilities: ['tasks', 'triggers'],
+  capabilities: ['tasks', 'triggers', 'actions'],
 
   async listItems(filters: Record<string, unknown>): Promise<ExternalItem[]> {
     const apiKey = requireAuth(filters)
@@ -189,10 +253,107 @@ export const linearConnector: VornConnector = {
     }
   },
 
-  async execute(actionType: string, _args: Record<string, unknown>): Promise<ActionResult> {
-    // Linear actions (createIssue, updateIssue) not yet implemented — the
-    // connector is read-only for polling tasks into the board.
-    return { success: false, error: `Linear action "${actionType}" not implemented yet` }
+  async execute(actionType: string, args: Record<string, unknown>): Promise<ActionResult> {
+    const apiKey = requireAuth(args)
+
+    switch (actionType) {
+      case 'commentOnIssue': {
+        const identifier = typeof args.identifier === 'string' ? args.identifier : ''
+        const body = typeof args.body === 'string' ? args.body : ''
+        if (!identifier) return { success: false, error: 'identifier is required (e.g. ENG-123)' }
+        if (!body) return { success: false, error: 'body is required' }
+        const issueId = await resolveIssueId(apiKey, identifier)
+        if (!issueId) return { success: false, error: `Issue ${identifier} not found` }
+        const data = await linearGraphQL<{
+          commentCreate: { success: boolean; comment: { id: string; url: string } }
+        }>(
+          apiKey,
+          `mutation CreateComment($input: CommentCreateInput!) {
+             commentCreate(input: $input) { success comment { id url } }
+           }`,
+          { input: { issueId, body } }
+        )
+        if (!data.commentCreate.success) {
+          return { success: false, error: 'Linear commentCreate returned success=false' }
+        }
+        return { success: true, output: { url: data.commentCreate.comment.url } }
+      }
+
+      case 'createIssue': {
+        const title = typeof args.title === 'string' ? args.title : ''
+        if (!title) return { success: false, error: 'title is required' }
+        const description = typeof args.description === 'string' ? args.description : undefined
+        const teamKey = typeof args.teamKey === 'string' ? args.teamKey : undefined
+        if (!teamKey) {
+          return {
+            success: false,
+            error: 'teamKey is required (set it on the connection or per-action)'
+          }
+        }
+        const teamId = await resolveTeamId(apiKey, teamKey)
+        if (!teamId) return { success: false, error: `Team ${teamKey} not found` }
+        const input: Record<string, unknown> = { teamId, title }
+        if (description) input.description = description
+        const data = await linearGraphQL<{
+          issueCreate: {
+            success: boolean
+            issue: { id: string; identifier: string; url: string }
+          }
+        }>(
+          apiKey,
+          `mutation CreateIssue($input: IssueCreateInput!) {
+             issueCreate(input: $input) { success issue { id identifier url } }
+           }`,
+          { input }
+        )
+        if (!data.issueCreate.success) {
+          return { success: false, error: 'Linear issueCreate returned success=false' }
+        }
+        return {
+          success: true,
+          output: {
+            identifier: data.issueCreate.issue.identifier,
+            url: data.issueCreate.issue.url
+          }
+        }
+      }
+
+      case 'closeIssue': {
+        const identifier = typeof args.identifier === 'string' ? args.identifier : ''
+        if (!identifier) return { success: false, error: 'identifier is required (e.g. ENG-123)' }
+        const issue = await resolveIssueWithTeam(apiKey, identifier)
+        if (!issue) return { success: false, error: `Issue ${identifier} not found` }
+        // Pick a "completed"-type workflow state on the issue's team. Linear
+        // doesn't have a single canonical "Done" — each team configures its
+        // own, so we grab the first completed-type state.
+        const stateId = await resolveCompletedStateId(apiKey, issue.teamId)
+        if (!stateId) {
+          return { success: false, error: `No completed-type state on team ${issue.teamKey}` }
+        }
+        const data = await linearGraphQL<{
+          issueUpdate: { success: boolean; issue: { id: string; state: { name: string } } }
+        }>(
+          apiKey,
+          `mutation CloseIssue($id: String!, $input: IssueUpdateInput!) {
+             issueUpdate(id: $id, input: $input) { success issue { id state { name } } }
+           }`,
+          { id: issue.id, input: { stateId } }
+        )
+        if (!data.issueUpdate.success) {
+          return { success: false, error: 'Linear issueUpdate returned success=false' }
+        }
+        return { success: true, output: { state: data.issueUpdate.issue.state.name } }
+      }
+
+      case 'syncTasks': {
+        // Handled by the sync engine at a higher level; the action node
+        // calls listItems() and does upsert logic.
+        return { success: true }
+      }
+
+      default:
+        return { success: false, error: `Unknown action: ${actionType}` }
+    }
   },
 
   describe(): ConnectorManifest {
@@ -243,7 +404,75 @@ export const linearConnector: VornConnector = {
           defaultIntervalMs: 60_000
         }
       ],
-      actions: [],
+      actions: [
+        // teamKey / apiKey come from the connection's filters/auth and are
+        // merged server-side before execute() runs, so they're not duplicated
+        // in these configFields.
+        {
+          type: 'commentOnIssue',
+          label: 'Comment on Issue',
+          description: 'Post a comment on a Linear issue',
+          configFields: [
+            {
+              key: 'identifier',
+              label: 'Issue',
+              type: 'text',
+              required: true,
+              placeholder: '{{connectorItem.externalId}}',
+              supportsTemplates: true
+            },
+            {
+              key: 'body',
+              label: 'Comment',
+              type: 'textarea',
+              required: true,
+              supportsTemplates: true
+            }
+          ]
+        },
+        {
+          type: 'createIssue',
+          label: 'Create Issue',
+          description: 'Create a new Linear issue',
+          configFields: [
+            {
+              key: 'title',
+              label: 'Title',
+              type: 'text',
+              required: true,
+              supportsTemplates: true
+            },
+            {
+              key: 'description',
+              label: 'Description',
+              type: 'textarea',
+              supportsTemplates: true
+            },
+            {
+              key: 'teamKey',
+              label: 'Team Key',
+              type: 'text',
+              placeholder: 'ENG (defaults to connection team)',
+              description: 'Override the connection team for this action.'
+            }
+          ]
+        },
+        {
+          type: 'closeIssue',
+          label: 'Close Issue',
+          description: "Move an issue to the team's default completed state",
+          configFields: [
+            {
+              key: 'identifier',
+              label: 'Issue',
+              type: 'text',
+              required: true,
+              placeholder: '{{connectorItem.externalId}}',
+              supportsTemplates: true
+            }
+          ]
+        }
+      ],
       defaultWorkflows: [
         {
           name: 'Linear: Issue Created',