diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1c7794d9a..9691a817a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -51,7 +51,7 @@ jobs: with: go-version: '1.23' - name: Keychain signer round-trip (CGO-free purego FFI) - run: LARK_KEYCHAIN_IT=1 CGO_ENABLED=0 go test -tags keychain_signer -run Keychain -v ./extension/keysigner/ + run: LARK_KEYCHAIN_IT=1 CGO_ENABLED=0 go test -tags keychain_signer -run Keychain -v ./internal/keysigner/ publish-npm: needs: goreleaser diff --git a/cmd/config/init.go b/cmd/config/init.go index 348bd8b40..ac260f715 100644 --- a/cmd/config/init.go +++ b/cmd/config/init.go @@ -14,12 +14,12 @@ import ( "github.com/spf13/cobra" "github.com/larksuite/cli/errs" - "github.com/larksuite/cli/extension/keysigner" "github.com/larksuite/cli/internal/auth" "github.com/larksuite/cli/internal/cmdutil" "github.com/larksuite/cli/internal/core" "github.com/larksuite/cli/internal/i18n" "github.com/larksuite/cli/internal/keychain" + "github.com/larksuite/cli/internal/keysigner" "github.com/larksuite/cli/internal/output" ) diff --git a/cmd/config/init_auth_method_test.go b/cmd/config/init_auth_method_test.go index 47a3a7db0..e0f29c752 100644 --- a/cmd/config/init_auth_method_test.go +++ b/cmd/config/init_auth_method_test.go @@ -8,9 +8,9 @@ import ( "crypto" "testing" - "github.com/larksuite/cli/extension/keysigner" "github.com/larksuite/cli/internal/cmdutil" "github.com/larksuite/cli/internal/core" + "github.com/larksuite/cli/internal/keysigner" ) type authMethodTestSigner struct{} diff --git a/cmd/config/init_interactive.go b/cmd/config/init_interactive.go index 03f088ccf..de6c4fda6 100644 --- a/cmd/config/init_interactive.go +++ b/cmd/config/init_interactive.go @@ -16,11 +16,11 @@ import ( qrcode "github.com/skip2/go-qrcode" "github.com/larksuite/cli/errs" - "github.com/larksuite/cli/extension/keysigner" larkauth "github.com/larksuite/cli/internal/auth" "github.com/larksuite/cli/internal/auth/jwt" "github.com/larksuite/cli/internal/cmdutil" "github.com/larksuite/cli/internal/core" + "github.com/larksuite/cli/internal/keysigner" "github.com/larksuite/cli/internal/output" "github.com/larksuite/cli/internal/transport" ) diff --git a/cmd/config/init_probe.go b/cmd/config/init_probe.go index a4a69cf9f..cd8cfad64 100644 --- a/cmd/config/init_probe.go +++ b/cmd/config/init_probe.go @@ -12,11 +12,11 @@ import ( "time" "github.com/larksuite/cli/errs" - "github.com/larksuite/cli/extension/keysigner" "github.com/larksuite/cli/internal/build" "github.com/larksuite/cli/internal/cmdutil" "github.com/larksuite/cli/internal/core" "github.com/larksuite/cli/internal/credential" + "github.com/larksuite/cli/internal/keysigner" ) // probeTimeout is the total wall-clock budget for the credential probe step diff --git a/cmd/config/init_probe_test.go b/cmd/config/init_probe_test.go index 59895d84e..878a21d2f 100644 --- a/cmd/config/init_probe_test.go +++ b/cmd/config/init_probe_test.go @@ -19,10 +19,10 @@ import ( "time" "github.com/larksuite/cli/errs" - "github.com/larksuite/cli/extension/keysigner" "github.com/larksuite/cli/internal/build" "github.com/larksuite/cli/internal/cmdutil" "github.com/larksuite/cli/internal/core" + "github.com/larksuite/cli/internal/keysigner" ) // fakeRT routes requests to per-path handlers and records what it saw. diff --git a/cmd/doctor/doctor.go b/cmd/doctor/doctor.go index 5c9062269..f74b44084 100644 --- a/cmd/doctor/doctor.go +++ b/cmd/doctor/doctor.go @@ -16,11 +16,11 @@ import ( "github.com/spf13/cobra" "github.com/larksuite/cli/errs" - "github.com/larksuite/cli/extension/keysigner" "github.com/larksuite/cli/internal/build" "github.com/larksuite/cli/internal/cmdutil" "github.com/larksuite/cli/internal/core" "github.com/larksuite/cli/internal/identitydiag" + "github.com/larksuite/cli/internal/keysigner" "github.com/larksuite/cli/internal/output" "github.com/larksuite/cli/internal/transport" "github.com/larksuite/cli/internal/update" diff --git a/cmd/doctor/doctor_test.go b/cmd/doctor/doctor_test.go index eb6cf98ab..2e2ef45b7 100644 --- a/cmd/doctor/doctor_test.go +++ b/cmd/doctor/doctor_test.go @@ -13,9 +13,9 @@ import ( "github.com/spf13/cobra" - "github.com/larksuite/cli/extension/keysigner" "github.com/larksuite/cli/internal/cmdutil" "github.com/larksuite/cli/internal/core" + "github.com/larksuite/cli/internal/keysigner" ) func TestNewCmdDoctor_FlagParsing(t *testing.T) { diff --git a/internal/auth/client_auth.go b/internal/auth/client_auth.go index dfb83eab6..f1c891fdf 100644 --- a/internal/auth/client_auth.go +++ b/internal/auth/client_auth.go @@ -9,9 +9,9 @@ import ( "net/url" "time" - "github.com/larksuite/cli/extension/keysigner" "github.com/larksuite/cli/internal/auth/jwt" "github.com/larksuite/cli/internal/core" + "github.com/larksuite/cli/internal/keysigner" ) // ClientAuth describes how to authenticate the OAuth client at the token diff --git a/internal/auth/client_auth_test.go b/internal/auth/client_auth_test.go index 1d7935b42..3add98edb 100644 --- a/internal/auth/client_auth_test.go +++ b/internal/auth/client_auth_test.go @@ -13,9 +13,9 @@ import ( "net/url" "testing" - "github.com/larksuite/cli/extension/keysigner" "github.com/larksuite/cli/internal/auth/jwt" "github.com/larksuite/cli/internal/core" + "github.com/larksuite/cli/internal/keysigner" ) // fakeAuthSigner is a real in-memory ECDSA P-256 signer for client-auth tests. diff --git a/internal/auth/jwt/jwt.go b/internal/auth/jwt/jwt.go index 4589f2510..0ac57bc46 100644 --- a/internal/auth/jwt/jwt.go +++ b/internal/auth/jwt/jwt.go @@ -17,7 +17,7 @@ import ( "time" "github.com/google/uuid" - "github.com/larksuite/cli/extension/keysigner" + "github.com/larksuite/cli/internal/keysigner" ) func b64(b []byte) string { return base64.RawURLEncoding.EncodeToString(b) } diff --git a/internal/auth/jwt/jwt_test.go b/internal/auth/jwt/jwt_test.go index 049158451..aa5aebe1e 100644 --- a/internal/auth/jwt/jwt_test.go +++ b/internal/auth/jwt/jwt_test.go @@ -17,7 +17,7 @@ import ( "testing" "time" - "github.com/larksuite/cli/extension/keysigner" + "github.com/larksuite/cli/internal/keysigner" ) // fakeSigner is a real in-memory ECDSA P-256 signer, so tests exercise the full diff --git a/internal/auth/uat_client.go b/internal/auth/uat_client.go index c0d8d1345..a56e50c68 100644 --- a/internal/auth/uat_client.go +++ b/internal/auth/uat_client.go @@ -19,9 +19,9 @@ import ( "github.com/gofrs/flock" "github.com/larksuite/cli/errs" - "github.com/larksuite/cli/extension/keysigner" "github.com/larksuite/cli/internal/core" "github.com/larksuite/cli/internal/errclass" + "github.com/larksuite/cli/internal/keysigner" "github.com/larksuite/cli/internal/vfs" ) diff --git a/internal/credential/default_provider.go b/internal/credential/default_provider.go index adb58a122..2daf2137a 100644 --- a/internal/credential/default_provider.go +++ b/internal/credential/default_provider.go @@ -17,7 +17,7 @@ import ( "github.com/larksuite/cli/internal/keychain" extcred "github.com/larksuite/cli/extension/credential" - "github.com/larksuite/cli/extension/keysigner" + "github.com/larksuite/cli/internal/keysigner" ) // classifyTATResponseCode wraps a deterministic (non-transient) failure from the diff --git a/internal/credential/tat_fetch.go b/internal/credential/tat_fetch.go index c72f6e694..71d87acb6 100644 --- a/internal/credential/tat_fetch.go +++ b/internal/credential/tat_fetch.go @@ -14,10 +14,10 @@ import ( "time" "github.com/larksuite/cli/errs" - "github.com/larksuite/cli/extension/keysigner" "github.com/larksuite/cli/internal/auth" "github.com/larksuite/cli/internal/auth/jwt" "github.com/larksuite/cli/internal/core" + "github.com/larksuite/cli/internal/keysigner" ) // FetchTAT performs a single HTTP POST to mint a tenant access token via the diff --git a/internal/credential/tat_fetch_test.go b/internal/credential/tat_fetch_test.go index d5cc7fa82..27813a449 100644 --- a/internal/credential/tat_fetch_test.go +++ b/internal/credential/tat_fetch_test.go @@ -21,8 +21,8 @@ import ( "testing" "github.com/larksuite/cli/errs" - "github.com/larksuite/cli/extension/keysigner" "github.com/larksuite/cli/internal/core" + "github.com/larksuite/cli/internal/keysigner" ) // stubRoundTripper lets us assert request shape and return canned responses. diff --git a/extension/keysigner/keysigner.go b/internal/keysigner/keysigner.go similarity index 100% rename from extension/keysigner/keysigner.go rename to internal/keysigner/keysigner.go diff --git a/extension/keysigner/keysigner_test.go b/internal/keysigner/keysigner_test.go similarity index 100% rename from extension/keysigner/keysigner_test.go rename to internal/keysigner/keysigner_test.go diff --git a/extension/keysigner/registry.go b/internal/keysigner/registry.go similarity index 100% rename from extension/keysigner/registry.go rename to internal/keysigner/registry.go diff --git a/extension/keysigner/signer_keychain_darwin.go b/internal/keysigner/signer_keychain_darwin.go similarity index 98% rename from extension/keysigner/signer_keychain_darwin.go rename to internal/keysigner/signer_keychain_darwin.go index 57c6d9a00..eb9e28ee3 100644 --- a/extension/keysigner/signer_keychain_darwin.go +++ b/internal/keysigner/signer_keychain_darwin.go @@ -267,9 +267,11 @@ func init() { Register(keychainSigner{}) } // (prober-less) signer as "no TEE signer in this build". func (keychainSigner) ProbeHardware(_ context.Context) (HardwareInfo, error) { info := HardwareInfo{Backend: "keychain", VendorName: "macOS Keychain"} - if _, err := os.Stat(securityBin); err != nil { + // A missing security tool is a status (Available=false via Reason), not a + // probe error — so we deliberately return a nil error here. + if _, err := vfs.Stat(securityBin); err != nil { info.Reason = securityBin + " not found" - return info, nil + return info, nil //nolint:nilerr // absence is reported via Reason, not as an error } info.Available = true return info, nil diff --git a/extension/keysigner/signer_keychain_darwin_test.go b/internal/keysigner/signer_keychain_darwin_test.go similarity index 96% rename from extension/keysigner/signer_keychain_darwin_test.go rename to internal/keysigner/signer_keychain_darwin_test.go index e1ef02474..6d8d35b71 100644 --- a/extension/keysigner/signer_keychain_darwin_test.go +++ b/internal/keysigner/signer_keychain_darwin_test.go @@ -27,7 +27,7 @@ func TestKeychainSignerRegistered(t *testing.T) { // because it mutates the dedicated lark-cli keychain store. The signer is now // cgo-free (purego runtime FFI), so it runs with CGO_ENABLED=0. Run with: // -// LARK_KEYCHAIN_IT=1 go test -run RoundTrip ./extension/keysigner/ +// LARK_KEYCHAIN_IT=1 go test -run RoundTrip ./internal/keysigner/ func TestKeychainSignerRoundTrip(t *testing.T) { if os.Getenv("LARK_KEYCHAIN_IT") == "" { t.Skip("set LARK_KEYCHAIN_IT=1 to run (mutates the macOS keychain)") diff --git a/extension/keysigner/signer_sks.go b/internal/keysigner/signer_sks.go similarity index 100% rename from extension/keysigner/signer_sks.go rename to internal/keysigner/signer_sks.go diff --git a/extension/keysigner/signer_sks_test.go b/internal/keysigner/signer_sks_test.go similarity index 100% rename from extension/keysigner/signer_sks_test.go rename to internal/keysigner/signer_sks_test.go