fix(platform): Improve Linear Search Block [SECRT-1880] (#11967)

## Summary

Implements [SECRT-1880](https://linear.app/autogpt/issue/SECRT-1880) -
Improve Linear Search Block

## Changes

### Models (`models.py`)
- Added `State` model with `id`, `name`, and `type` fields for workflow
state information
- Added `state: State | None` field to `Issue` model

### API Client (`_api.py`)
- Updated `try_search_issues()` to:
- Add `max_results` parameter (default 10, was ~50) to reduce token
usage
  - Add `team_id` parameter for team filtering
- Return `createdAt`, `state`, `project`, and `assignee` fields in
results
- Fixed `try_get_team_by_name()` to return descriptive error message
when team not found instead of crashing with `IndexError`

### Block (`issues.py`)
- Added `max_results` input parameter (1-100, default 10)
- Added `team_name` input parameter for optional team filtering
- Added `error` output field for graceful error handling
- Added categories (`PRODUCTIVITY`, `ISSUE_TRACKING`)
- Updated test fixtures to include new fields

## Breaking Changes

| Change | Before | After | Mitigation |
|--------|--------|-------|------------|
| Default result count | ~50 | 10 | Users can set `max_results` up to
100 if needed |

## Non-Breaking Changes

- `state` field added to `Issue` (optional, defaults to `None`)
- `max_results` param added (has default value)
- `team_name` param added (optional, defaults to `None`)
- `error` output added (follows established pattern from GitHub blocks)

## Testing

- [x] Format/lint checks pass
- [x] Unit test fixtures updated

Resolves SECRT-1880

---------

Co-authored-by: Toran Bruce Richards <toran.richards@gmail.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Toran Bruce Richards <Torantulino@users.noreply.github.com>

autogpt_platform/backend/backend/api/features/chat/tools/utils.py

@@ -8,7 +8,12 @@ from backend.api.features.library import model as library_model
 from backend.api.features.store import db as store_db
 from backend.data import graph as graph_db
 from backend.data.graph import GraphModel
-from backend.data.model import Credentials, CredentialsFieldInfo, CredentialsMetaInput
+from backend.data.model import (
+    CredentialsFieldInfo,
+    CredentialsMetaInput,
+    HostScopedCredentials,
+    OAuth2Credentials,
+)
 from backend.integrations.creds_manager import IntegrationCredentialsManager
 from backend.util.exceptions import NotFoundError
 
@@ -273,7 +278,14 @@ async def match_user_credentials_to_graph(
                 for cred in available_creds
                 if cred.provider in credential_requirements.provider
                 and cred.type in credential_requirements.supported_types
-                and _credential_has_required_scopes(cred, credential_requirements)
+                and (
+                    cred.type != "oauth2"
+                    or _credential_has_required_scopes(cred, credential_requirements)
+                )
+                and (
+                    cred.type != "host_scoped"
+                    or _credential_is_for_host(cred, credential_requirements)
+                )
             ),
             None,
         )
@@ -318,19 +330,10 @@ async def match_user_credentials_to_graph(
 
 
 def _credential_has_required_scopes(
-    credential: Credentials,
+    credential: OAuth2Credentials,
     requirements: CredentialsFieldInfo,
 ) -> bool:
-    """
+    """Check if an OAuth2 credential has all the scopes required by the input."""
-    Check if a credential has all the scopes required by the block.
-
-    For OAuth2 credentials, verifies that the credential's scopes are a superset
-    of the required scopes. For other credential types, returns True (no scope check).
-    """
-    # Only OAuth2 credentials have scopes to check
-    if credential.type != "oauth2":
-        return True
-
     # If no scopes are required, any credential matches
     if not requirements.required_scopes:
         return True
@@ -339,6 +342,22 @@ def _credential_has_required_scopes(
     return set(credential.scopes).issuperset(requirements.required_scopes)
 
 
+def _credential_is_for_host(
+    credential: HostScopedCredentials,
+    requirements: CredentialsFieldInfo,
+) -> bool:
+    """Check if a host-scoped credential matches the host required by the input."""
+    # We need to know the host to match host-scoped credentials to.
+    # Graph.aggregate_credentials_inputs() adds the node's set URL value (if any)
+    # to discriminator_values. No discriminator_values -> no host to match against.
+    if not requirements.discriminator_values:
+        return True
+
+    # Check that credential host matches required host.
+    # Host-scoped credential inputs are grouped by host, so any item from the set works.
+    return credential.matches_url(list(requirements.discriminator_values)[0])
+
+
 async def check_user_has_required_credentials(
     user_id: str,
     required_credentials: list[CredentialsMetaInput],

autogpt_platform/backend/backend/blocks/linear/_api.py

@@ -162,8 +162,16 @@ class LinearClient:
                 "searchTerm": team_name,
             }
 
-            team_id = await self.query(query, variables)
+            result = await self.query(query, variables)
-            return team_id["teams"]["nodes"][0]["id"]
+            nodes = result["teams"]["nodes"]
+
+            if not nodes:
+                raise LinearAPIException(
+                    f"Team '{team_name}' not found. Check the team name or key and try again.",
+                    status_code=404,
+                )
+
+            return nodes[0]["id"]
         except LinearAPIException as e:
             raise e
 
@@ -240,17 +248,44 @@ class LinearClient:
         except LinearAPIException as e:
             raise e
 
-    async def try_search_issues(self, term: str) -> list[Issue]:
+    async def try_search_issues(
+        self,
+        term: str,
+        max_results: int = 10,
+        team_id: str | None = None,
+    ) -> list[Issue]:
         try:
             query = """
-                query SearchIssues($term: String!, $includeComments: Boolean!) {
+                query SearchIssues(
-                    searchIssues(term: $term, includeComments: $includeComments) {
+                    $term: String!,
+                    $first: Int,
+                    $teamId: String
+                ) {
+                    searchIssues(
+                        term: $term,
+                        first: $first,
+                        teamId: $teamId
+                    ) {
                         nodes {
                             id
                             identifier
                             title
                             description
                             priority
+                            createdAt
+                            state {
+                                id
+                                name
+                                type
+                            }
+                            project {
+                                id
+                                name
+                            }
+                            assignee {
+                                id
+                                name
+                            }
                         }
                     }
                 }
@@ -258,7 +293,8 @@ class LinearClient:
 
             variables: dict[str, Any] = {
                 "term": term,
-                "includeComments": True,
+                "first": max_results,
+                "teamId": team_id,
             }
 
             issues = await self.query(query, variables)

autogpt_platform/backend/backend/blocks/linear/issues.py

@@ -17,7 +17,7 @@ from ._config import (
     LinearScope,
     linear,
 )
-from .models import CreateIssueResponse, Issue
+from .models import CreateIssueResponse, Issue, State
 
 
 class LinearCreateIssueBlock(Block):
@@ -135,9 +135,20 @@ class LinearSearchIssuesBlock(Block):
             description="Linear credentials with read permissions",
             required_scopes={LinearScope.READ},
         )
+        max_results: int = SchemaField(
+            description="Maximum number of results to return",
+            default=10,
+            ge=1,
+            le=100,
+        )
+        team_name: str | None = SchemaField(
+            description="Optional team name to filter results (e.g., 'Internal', 'Open Source')",
+            default=None,
+        )
 
     class Output(BlockSchemaOutput):
         issues: list[Issue] = SchemaField(description="List of issues")
+        error: str = SchemaField(description="Error message if the search failed")
 
     def __init__(self):
         super().__init__(
@@ -145,8 +156,11 @@ class LinearSearchIssuesBlock(Block):
             description="Searches for issues on Linear",
             input_schema=self.Input,
             output_schema=self.Output,
+            categories={BlockCategory.PRODUCTIVITY, BlockCategory.ISSUE_TRACKING},
             test_input={
                 "term": "Test issue",
+                "max_results": 10,
+                "team_name": None,
                 "credentials": TEST_CREDENTIALS_INPUT_OAUTH,
             },
             test_credentials=TEST_CREDENTIALS_OAUTH,
@@ -156,10 +170,14 @@ class LinearSearchIssuesBlock(Block):
                     [
                         Issue(
                             id="abc123",
-                            identifier="abc123",
+                            identifier="TST-123",
                             title="Test issue",
                             description="Test description",
                             priority=1,
+                            state=State(
+                                id="state1", name="In Progress", type="started"
+                            ),
+                            createdAt="2026-01-15T10:00:00.000Z",
                         )
                     ],
                 )
@@ -168,10 +186,12 @@ class LinearSearchIssuesBlock(Block):
                 "search_issues": lambda *args, **kwargs: [
                     Issue(
                         id="abc123",
-                        identifier="abc123",
+                        identifier="TST-123",
                         title="Test issue",
                         description="Test description",
                         priority=1,
+                        state=State(id="state1", name="In Progress", type="started"),
+                        createdAt="2026-01-15T10:00:00.000Z",
                     )
                 ]
             },
@@ -181,10 +201,22 @@ class LinearSearchIssuesBlock(Block):
     async def search_issues(
         credentials: OAuth2Credentials | APIKeyCredentials,
         term: str,
+        max_results: int = 10,
+        team_name: str | None = None,
     ) -> list[Issue]:
         client = LinearClient(credentials=credentials)
-        response: list[Issue] = await client.try_search_issues(term=term)
+
-        return response
+        # Resolve team name to ID if provided
+        # Raises LinearAPIException with descriptive message if team not found
+        team_id: str | None = None
+        if team_name:
+            team_id = await client.try_get_team_by_name(team_name=team_name)
+
+        return await client.try_search_issues(
+            term=term,
+            max_results=max_results,
+            team_id=team_id,
+        )
 
     async def run(
         self,
@@ -196,7 +228,10 @@ class LinearSearchIssuesBlock(Block):
         """Execute the issue search"""
         try:
             issues = await self.search_issues(
-                credentials=credentials, term=input_data.term
+                credentials=credentials,
+                term=input_data.term,
+                max_results=input_data.max_results,
+                team_name=input_data.team_name,
             )
             yield "issues", issues
         except LinearAPIException as e:

autogpt_platform/backend/backend/blocks/linear/models.py

@@ -36,12 +36,21 @@ class Project(BaseModel):
     content: str | None = None
 
 
+class State(BaseModel):
+    id: str
+    name: str
+    type: str | None = (
+        None  # Workflow state type (e.g., "triage", "backlog", "started", "completed", "canceled")
+    )
+
+
 class Issue(BaseModel):
     id: str
     identifier: str
     title: str
     description: str | None
     priority: int
+    state: State | None = None
     project: Project | None = None
     createdAt: str | None = None
     comments: list[Comment] | None = None

autogpt_platform/backend/backend/data/model.py

@@ -19,7 +19,6 @@ from typing import (
     cast,
     get_args,
 )
-from urllib.parse import urlparse
 from uuid import uuid4
 
 from prisma.enums import CreditTransactionType, OnboardingStep
@@ -42,6 +41,7 @@ from typing_extensions import TypedDict
 
 from backend.integrations.providers import ProviderName
 from backend.util.json import loads as json_loads
+from backend.util.request import parse_url
 from backend.util.settings import Secrets
 
 # Type alias for any provider name (including custom ones)
@@ -397,19 +397,25 @@ class HostScopedCredentials(_BaseCredentials):
     def matches_url(self, url: str) -> bool:
         """Check if this credential should be applied to the given URL."""
 
-        parsed_url = urlparse(url)
+        request_host, request_port = _extract_host_from_url(url)
-        # Extract hostname without port
+        cred_scope_host, cred_scope_port = _extract_host_from_url(self.host)
-        request_host = parsed_url.hostname
         if not request_host:
             return False
 
-        # Simple host matching - exact match or wildcard subdomain match
+        # If a port is specified in credential host, the request host port must match
-        if self.host == request_host:
+        if cred_scope_port is not None and request_port != cred_scope_port:
+            return False
+        # Non-standard ports are only allowed if explicitly specified in credential host
+        elif cred_scope_port is None and request_port not in (80, 443, None):
+            return False
+
+        # Simple host matching
+        if cred_scope_host == request_host:
             return True
 
         # Support wildcard matching (e.g., "*.example.com" matches "api.example.com")
-        if self.host.startswith("*."):
+        if cred_scope_host.startswith("*."):
-            domain = self.host[2:]  # Remove "*."
+            domain = cred_scope_host[2:]  # Remove "*."
             return request_host.endswith(f".{domain}") or request_host == domain
 
         return False
@@ -551,13 +557,13 @@ class CredentialsMetaInput(BaseModel, Generic[CP, CT]):
     )
 
 
-def _extract_host_from_url(url: str) -> str:
+def _extract_host_from_url(url: str) -> tuple[str, int | None]:
-    """Extract host from URL for grouping host-scoped credentials."""
+    """Extract host and port from URL for grouping host-scoped credentials."""
     try:
-        parsed = urlparse(url)
+        parsed = parse_url(url)
-        return parsed.hostname or url
+        return parsed.hostname or url, parsed.port
     except Exception:
-        return ""
+        return "", None
 
 
 class CredentialsFieldInfo(BaseModel, Generic[CP, CT]):
@@ -606,7 +612,7 @@ class CredentialsFieldInfo(BaseModel, Generic[CP, CT]):
                 providers = frozenset(
                     [cast(CP, "http")]
                     + [
-                        cast(CP, _extract_host_from_url(str(value)))
+                        cast(CP, parse_url(str(value)).netloc)
                         for value in field.discriminator_values
                     ]
                 )

autogpt_platform/backend/backend/data/model_test.py

@@ -79,10 +79,23 @@ class TestHostScopedCredentials:
             headers={"Authorization": SecretStr("Bearer token")},
         )
 
-        assert creds.matches_url("http://localhost:8080/api/v1")
+        # Non-standard ports require explicit port in credential host
+        assert not creds.matches_url("http://localhost:8080/api/v1")
         assert creds.matches_url("https://localhost:443/secure/endpoint")
         assert creds.matches_url("http://localhost/simple")
 
+    def test_matches_url_with_explicit_port(self):
+        """Test URL matching with explicit port in credential host."""
+        creds = HostScopedCredentials(
+            provider="custom",
+            host="localhost:8080",
+            headers={"Authorization": SecretStr("Bearer token")},
+        )
+
+        assert creds.matches_url("http://localhost:8080/api/v1")
+        assert not creds.matches_url("http://localhost:3000/api/v1")
+        assert not creds.matches_url("http://localhost/simple")
+
     def test_empty_headers_dict(self):
         """Test HostScopedCredentials with empty headers."""
         creds = HostScopedCredentials(
@@ -128,8 +141,20 @@ class TestHostScopedCredentials:
             ("*.example.com", "https://sub.api.example.com/test", True),
             ("*.example.com", "https://example.com/test", True),
             ("*.example.com", "https://example.org/test", False),
-            ("localhost", "http://localhost:3000/test", True),
+            # Non-standard ports require explicit port in credential host
+            ("localhost", "http://localhost:3000/test", False),
+            ("localhost:3000", "http://localhost:3000/test", True),
             ("localhost", "http://127.0.0.1:3000/test", False),
+            # IPv6 addresses (frontend stores with brackets via URL.hostname)
+            ("[::1]", "http://[::1]/test", True),
+            ("[::1]", "http://[::1]:80/test", True),
+            ("[::1]", "https://[::1]:443/test", True),
+            ("[::1]", "http://[::1]:8080/test", False),  # Non-standard port
+            ("[::1]:8080", "http://[::1]:8080/test", True),
+            ("[::1]:8080", "http://[::1]:9090/test", False),
+            ("[2001:db8::1]", "http://[2001:db8::1]/path", True),
+            ("[2001:db8::1]", "https://[2001:db8::1]:443/path", True),
+            ("[2001:db8::1]", "http://[2001:db8::ff]/path", False),
         ],
     )
     def test_url_matching_parametrized(self, host: str, test_url: str, expected: bool):

autogpt_platform/backend/backend/util/request.py

@@ -157,12 +157,7 @@ async def validate_url(
         is_trusted: Boolean indicating if the hostname is in trusted_origins
         ip_addresses: List of IP addresses for the host; empty if the host is trusted
     """
-    # Canonicalize URL
+    parsed = parse_url(url)
-    url = url.strip("/ ").replace("\\", "/")
-    parsed = urlparse(url)
-    if not parsed.scheme:
-        url = f"http://{url}"
-        parsed = urlparse(url)
 
     # Check scheme
     if parsed.scheme not in ALLOWED_SCHEMES:
@@ -220,6 +215,17 @@ async def validate_url(
     )
 
 
+def parse_url(url: str) -> URL:
+    """Canonicalizes and parses a URL string."""
+    url = url.strip("/ ").replace("\\", "/")
+
+    # Ensure scheme is present for proper parsing
+    if not re.match(r"[a-z0-9+.\-]+://", url):
+        url = f"http://{url}"
+
+    return urlparse(url)
+
+
 def pin_url(url: URL, ip_addresses: Optional[list[str]] = None) -> URL:
     """
     Pins a URL to a specific IP address to prevent DNS rebinding attacks.

autogpt_platform/frontend/src/components/contextual/CredentialsInput/components/HotScopedCredentialsModal/HotScopedCredentialsModal.tsx

@@ -41,7 +41,17 @@ export function HostScopedCredentialsModal({
   const currentHost = currentUrl ? getHostFromUrl(currentUrl) : "";
 
   const formSchema = z.object({
-    host: z.string().min(1, "Host is required"),
+    host: z
+      .string()
+      .min(1, "Host is required")
+      .refine((val) => !/^[a-zA-Z][a-zA-Z\d+\-.]*:\/\//.test(val), {
+        message: "Enter only the host (e.g. api.example.com), not a full URL",
+      })
+      .refine((val) => !val.includes("/"), {
+        message:
+          "Enter only the host (e.g. api.example.com), without a trailing path. " +
+          "You may specify a port (e.g. api.example.com:8080) if needed.",
+      }),
     title: z.string().optional(),
     headers: z.record(z.string()).optional(),
   });

docs/integrations/README.md

@@ -62,7 +62,6 @@ Below is a comprehensive list of all available blocks, categorized by their prim
 | [Get Store Agent Details](block-integrations/system/store_operations.md#get-store-agent-details) | Get detailed information about an agent from the store |
 | [Get Weather Information](block-integrations/basic.md#get-weather-information) | Retrieves weather information for a specified location using OpenWeatherMap API |
 | [Human In The Loop](block-integrations/basic.md#human-in-the-loop) | Pause execution and wait for human approval or modification of data |
-| [Linear Search Issues](block-integrations/linear/issues.md#linear-search-issues) | Searches for issues on Linear |
 | [List Is Empty](block-integrations/basic.md#list-is-empty) | Checks if a list is empty |
 | [List Library Agents](block-integrations/system/library_operations.md#list-library-agents) | List all agents in your personal library |
 | [Note](block-integrations/basic.md#note) | A visual annotation block that displays a sticky note in the workflow editor for documentation and organization purposes |
@@ -571,6 +570,7 @@ Below is a comprehensive list of all available blocks, categorized by their prim
 | [Linear Create Comment](block-integrations/linear/comment.md#linear-create-comment) | Creates a new comment on a Linear issue |
 | [Linear Create Issue](block-integrations/linear/issues.md#linear-create-issue) | Creates a new issue on Linear |
 | [Linear Get Project Issues](block-integrations/linear/issues.md#linear-get-project-issues) | Gets issues from a Linear project filtered by status and assignee |
+| [Linear Search Issues](block-integrations/linear/issues.md#linear-search-issues) | Searches for issues on Linear |
 | [Linear Search Projects](block-integrations/linear/projects.md#linear-search-projects) | Searches for projects on Linear |
 
 ## Hardware

docs/integrations/block-integrations/linear/issues.md

@@ -90,9 +90,9 @@ Searches for issues on Linear
 
 ### How it works
 <!-- MANUAL: how_it_works -->
-This block searches for issues in Linear using a text query. It searches across issue titles, descriptions, and other fields to find matching issues.
+This block searches for issues in Linear using a text query. It searches across issue titles, descriptions, and other fields to find matching issues. You can limit the number of results returned using the `max_results` parameter (default: 10, max: 100) to control token consumption and response size.
 
-Returns a list of issues matching the search term.
+Optionally filter results by team name to narrow searches to specific workspaces. If a team name is provided, the block resolves it to a team ID before searching. Returns matching issues with their state, creation date, project, and assignee information. If the search or team resolution fails, an error message is returned.
 <!-- END MANUAL -->
 
 ### Inputs
@@ -100,12 +100,14 @@ Returns a list of issues matching the search term.
 | Input | Description | Type | Required |
 |-------|-------------|------|----------|
 | term | Term to search for issues | str | Yes |
+| max_results | Maximum number of results to return | int | No |
+| team_name | Optional team name to filter results (e.g., 'Internal', 'Open Source') | str | No |
 
 ### Outputs
 
 | Output | Description | Type |
 |--------|-------------|------|
-| error | Error message if the operation failed | str |
+| error | Error message if the search failed | str |
 | issues | List of issues | List[Issue] |
 
 ### Possible use case