fix(linear): unblock wizard Save + UX polish for Linear PM setup

CHANGELOG.md

@@ -4,10 +4,17 @@ All notable user-visible changes to CASCADE are documented here. The format is l
 
 ## Unreleased
 
+### Added
+
+- **Linear wizard — inline webhook signing-secret field and accurate events list.** The Webhooks step of the Linear PM wizard now renders a `ProjectSecretField` bound to `LINEAR_WEBHOOK_SECRET` directly beneath the webhook URL, so operators can paste Linear's signing secret in place instead of navigating to the Credentials tab. The "Enable events" instructions now list the three event families CASCADE actually consumes — `Issues` (status transitions), `Comments` (bot @mentions), and `Issue Labels` ("Ready to Process") — each with a one-line rationale tracing back to the registered trigger handlers. (Spec [002](docs/specs/002-linear-webhook-setup-ux.md), plan [2/2](docs/plans/002-linear-webhook-setup-ux/2-wizard-webhooks-step.md).)
+
 ### Changed
 
 - **Review-agent context shape: compact diffs instead of full files.** The review agent's pre-fetched PR context now consists of compact per-file diffs (using GitHub's `file.patch`) rather than full file contents. Files that can't fit the budget — deleted, binary, oversized patch, or cumulative budget exhausted — are surfaced in a structured `SKIPPED FILES` injection that names each file with a reason and tells the agent how to fetch it on demand (`gh pr diff`, `Read`, `Grep`). This scales with PR size rather than repo size, mitigates LLM context rot, and ensures the agent is aware of (rather than blind to) the omissions. The context budget is `REVIEW_DIFF_CONTEXT_TOKEN_LIMIT` (200k tokens), replacing the prior 25k full-file cap. The `SKIPPED FILES` injection is also delivered to the four other agents that share the PR context pipeline (`respond-to-ci`, `respond-to-pr-comment`, `respond-to-review`, `resolve-conflicts`); explicit prompt guidance is added in `review.yaml` only. (Spec [001](docs/specs/001-pr-review-correctness.md), plan [2/2](docs/plans/001-pr-review-correctness/2-context-rework.md.done).)
 
 ### Fixed
 
+- **Linear wizard Save — HTTP 500 on `projects.integrations.upsert`.** A check constraint (`chk_integration_category_provider`) restricted the `pm` category to `trello` or `jira`; Linear support shipped without a matching constraint update, so every attempt to save a Linear PM integration failed with SQLSTATE 23514. Migration 0049 adds `linear` to the allowed `pm` providers. (Spec [002](docs/specs/002-linear-webhook-setup-ux.md), plan [1/2](docs/plans/002-linear-webhook-setup-ux/1-save-path-fix.md).)
+- **Dashboard error logs now surface DB diagnostic fields.** Unhandled errors in the Hono app error handler and tRPC error formatter now include PG error code, detail, constraint, table, and column (unwrapped from `.cause` when Drizzle wraps a pg driver error). Clients still receive a generic "Internal server error" for unexpected `INTERNAL_SERVER_ERROR` throws — real diagnostics go to stdout for operators to grep. (Spec [002](docs/specs/002-linear-webhook-setup-ux.md), plan [1/2](docs/plans/002-linear-webhook-setup-ux/1-save-path-fix.md).)
+
 - **Review agent on external-fork and large PRs.** PR checkouts now use the canonical `refs/pull/N/head` ref, which works for same-repo branches and external-fork branches alike. Previously, a silent `git checkout <branch>` failure on fork PRs caused the worker to review the base branch (`dev`) while believing it was on the PR branch, producing confidently wrong reviews. Any git or HEAD-SHA mismatch now fails the run loudly rather than silently continuing. Additionally, every paginated GitHub REST endpoint used in the review setup pipeline now paginates to completion, so PRs with more than 100 changed files are no longer truncated at the first page. (Spec [001](docs/specs/001-pr-review-correctness.md), plan [1/2](docs/plans/001-pr-review-correctness/1-checkout-and-pagination.md.done).)

docs/plans/002-linear-webhook-setup-ux/_coverage.md

@@ -0,0 +1,38 @@
+# Coverage map for spec 002-linear-webhook-setup-ux
+
+Auto-generated by /plan. Tracks which plans satisfy which spec ACs.
+
+## Spec ACs
+
+| # | Spec AC (short) | Satisfied by | Status |
+|---|---|---|---|
+| 1 | Instructions list matches registered Linear trigger handlers | plan 2 (wizard-webhooks-step) | full |
+| 2 | Inline webhook signing secret input present in the Webhooks step | plan 2 (wizard-webhooks-step) | full |
+| 3 | Pasting the secret persists it as `LINEAR_WEBHOOK_SECRET` | plan 2 (wizard-webhooks-step) | full |
+| 4 | Credentials tab and wizard inline field stay in sync | plan 2 (wizard-webhooks-step) | full |
+| 5 | Save succeeds end-to-end on a fresh project | plan 1 (save-path-fix) | full |
+| 6 | Save succeeds on re-configuration | plan 1 (save-path-fix) | full |
+| 7 | Save failures diagnosable in server log | plan 1 (save-path-fix) | full |
+| 8 | No secret leakage in plaintext logs | plan 1 (save-path-fix) | full |
+| 9 | No regression to Trello / JIRA wizards | plan 2 (wizard-webhooks-step) | full |
+| 10 | Other providers' webhook-secret UX (Sentry alerting) unchanged | plan 2 (wizard-webhooks-step) | full |
+
+## Coverage summary
+
+- **10 spec ACs** mapped to **2 plans**
+- **10 / 10** full-coverage ACs (each ACs is fully delivered by a single plan — no partial chains)
+- **0 partial-coverage ACs** — the plans are cleanly orthogonal: plan 1 is pure backend save-path + logging, plan 2 is pure wizard UI. Secret leakage (AC #8) is verified in plan 1 because the logging invariant is established there and exercised by the backend tests; plan 2 does not touch logging.
+
+## Plan dependency graph
+
+```
+1-save-path-fix ──→ 2-wizard-webhooks-step
+```
+
+Linear: plan 2 depends on plan 1 for end-to-end browser verification (the Save step must return 200 before the wizard can be walked through successfully on `dev`).
+
+## Notes
+
+- Plan 1 ships no user-visible UI change on its own; its value is "Linear wizard Save stops failing on `dev`" plus a permanent diagnostic improvement to the dashboard error path.
+- Plan 2 ships the visible UX polish and closes the spec.
+- Build/test/lint/typecheck are per-plan hygiene criteria, not counted against spec ACs above.