feat(jira): thread authType through discovery + verification endpoints#1490
Merged
aaight merged 1 commit intoJul 10, 2026
Merged
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
nhopeatall
approved these changes
Jul 10, 2026
nhopeatall
left a comment
Collaborator
There was a problem hiding this comment.
Summary
APPROVE — Correct, type-safe, and comprehensively tested. The PR threads JIRA authType through exactly the discovery + verification surfaces the work item (MNG-1743) scopes, mirroring the established baseUrl → base_url promotion pattern, with no regression to the historical basic default.
Verification
Traced the full flow and confirmed all five acceptance criteria:
coerceJiraAuthTypenarrows'basic' | 'scoped'and collapses everything else ('',123,null,'bearer') toundefined→ downstreamresolveJiraApiBaseUrltreats it asbasic. Garbage can never select the scoped gateway host.createDiscoveryProvider(manifest.ts:232) andcreateCustomField(manifest.ts:121) both thread the coercedauthTypeintowithJiraCredentials, socurrentUser/projects/states/customFieldsroute through the correct host.configToCredentials(manifest.ts:166) promotesauthType → auth_typeadditively — emitted even whenbaseUrlis absent, skipped for unrecognized values. The refactor from the earlyreturn {}to the accumulatingpromotedobject is behavior-preserving for the existingbase_urlcase.integrationsDiscovery.ts—jiraCredsInputgains the optional enum (rejects unknown values at the Zod boundary); both the raw-creds (jiraProjectDetails) and stored-creds (jiraProjectDetailsByProject, resolved fromproject_integrations.config) paths forward it.- Type safety holds:
JiraCredentials.authType?: JiraAuthTypeis consumed byresolveJiraApiBaseUrl; thepm.discovery.discoverprojectIdpath picks up the promotedauth_typeviapromoteConfigCredentials.
Ran the touched suites locally: manifest-config-to-credentials / manifest-discovery / manifest-mutations (28) + integrationsDiscovery (53) all green; CI 7/7.
Notes (non-blocking)
- Runtime webhook-dispatch path is not threaded (out of scope, pre-existing).
src/router/adapters/jira.ts:130still builds{ email, apiToken, baseUrl }withoutauthTypewhen establishing credential scope for trigger dispatch (and the Sentry adapter's JIRA branch does the same). The in-worker paths (integration.ts:71,cli/base.ts:63) and now the discovery/verification paths all thread it — only webhook-triggered dispatch does not. That means a scoped-auth JIRA project's trigger-time API calls would route to the site host rather than the gateway. This is genuinely separate from MNG-1743's discovery+verification scope and isn't a regression from this PR, but worth confirming it's tracked as a follow-up rather than an oversight. - Minor duplication:
jiraProjectDetailsByProjectre-inlines theauthTypenarrowing (rawAuthType === 'basic' || rawAuthType === 'scoped' ? ... : undefined) thatcoerceJiraAuthTypealready encapsulates. Since the helper isn't exported frommanifest.ts, the inline copy is understandable; if a shared home emerges (e.g. besideJiraAuthTypeinconfig-schema.ts), consolidating would remove the third copy of this predicate.
🕵️ claude-code · claude-opus-4-8 · run details
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Threads the JIRA
authTypeconnection setting through the discovery + verification endpoints so wizard-time verification (currentUser / projects / states / customFields) and edit-mode re-verification hit the correct host — the classic site URL forbasic, the Atlassian gateway forscoped. Backend-only; the wizard UI selector is a separate story.Builds on MNG-1736 (the optional
authTypeconfig/credential field) and MNG-1738 (JIRA API client host routing viaresolveJiraApiBaseUrl). Both are merged; this story closes the last gap so a savedauthType: 'scoped'actually reacheswithJiraCredentialson the discovery/verification paths.Backend keeps HTTP Basic (
email:api_token) for both modes —authTypeselects the host, not the auth scheme (per MNG-1735 research; no Bearer/OAuth behavior is introduced).Linear issue: https://linear.app/issue/MNG-1743
Changes
src/integrations/pm/jira/manifest.tscoerceJiraAuthType(unknown)helper that narrows a raw value to theJiraAuthType('basic' | 'scoped') union — unknown/absent →undefined, which downstream treats asbasic. Keeps garbage values from ever selecting the scoped gateway host.createDiscoveryProvidernow readscreds.auth_typeand threadsauthTypeintowithJiraCredentials(...), so discovery (projects/states/customFields/currentUser) routes through the correct host.createCustomFieldnow threadscredentials.auth_typeintowithJiraCredentials(...).configToCredentialsnow promotesconfig.authType → auth_typealongside the existingbaseUrl → base_url, so theprojectId(edit-mode) path ofpm.discovery.*picks up the saved auth mode. Promotion is additive and independent —auth_typeis emitted even whenbaseUrlis absent, and skipped for unrecognized values.src/api/routers/integrationsDiscovery.tsjiraCredsInputwithauthType: z.enum(['basic','scoped']).optional().withJiraCreds(raw-creds path used byjiraProjectDetails) now forwardsauthTypeinto the credentials bag →withJiraCredentials.jiraProjectDetailsByProject(stored-creds path) now resolvesauthTypefrom the savedproject_integrations.config(mirroring howbaseUrlis read) and threads it intowithJiraCredentials. Unknown/absent values resolve toundefined.Tests
manifest-config-to-credentials.test.ts— new block assertingauthTypepromotion toauth_type(scoped/basic, baseUrl-absent case, backward-compat when absent, and rejection of unknown/invalid values).manifest-discovery.test.ts— new block assertingcreateDiscoveryProviderforwardsauth_typeintowithJiraCredentials(scoped, basic, undefined-when-absent, undefined-for-unrecognized).manifest-mutations.test.ts— new assertions thatcreateCustomFieldthreadsauth_typeand passesundefinedwhen absent.integrationsDiscovery.test.ts— converted the JIRAwithJiraCredentialsmock to a capturablevi.fn(); new assertions that both the raw-creds (jiraProjectDetails) and stored-creds (jiraProjectDetailsByProject) paths threadauthType, that absent/unrecognized config values resolve toundefined, and that the input schema rejects an invalid enum value.authTyperound-trip throughjiraConfigSchemais already covered by the existing MNG-1736 suite (manifest-config-schema.test.ts); those stay green.pm-conformance.test.ts) stays green (100 tests).Verification
npm run typecheck— cleanbiome checkon changed/new files — cleanunit-corePM + integrations (1097 passed / 23 skipped),unit-api(794 passed), plus targeted JIRA/discovery/conformance runs — all green.Out of scope
authTypeselector (separate frontend story).🤖 Generated with Claude Code
🕵️ claude-code · claude-opus-4-8 · run details