* Revert "fix(mail): clarify that file path flags only accept relative paths (#141)"
This reverts commit 1ffe870dc8.
* Revert "feat(mail): auto-resolve local image paths in draft body HTML (#81) (#139)"
This reverts commit 70c72a2c02.
* Reapply "fix(mail): clarify that file path flags only accept relative paths (#141)"
This reverts commit d465e085b1.
* feat: add TestGenerateShortcutsJSON for registry shortcut export
Add a test that exports all shortcuts as JSON when SHORTCUTS_OUTPUT
env var is set, enabling the registry repo to extract shortcut
metadata without depending on a dump-shortcuts CLI command.
* refactor(keychain): improve error handling and consistency across platforms
- Change platformGet to return error instead of empty string
- Add proper error wrapping for keychain operations
- Make master key creation conditional in getMasterKey
- Improve error messages and handling for keychain access
- Update dependent code to handle new error returns
* docs(keychain): improve function documentation and error message
Add detailed doc comments for all platform-specific keychain functions to clarify their purpose and behavior. Also enhance the error hint message to include a suggestion for reconfiguring the CLI when keychain access fails.
* refactor(keychain): reorder operations in platformGet for better error handling
Check for file existence before attempting to read and get master key
* fix(keychain): improve error handling and consistency across platforms.
* fix(keychain): handle corrupted master key case
* fix(keychain): handle I/O errors when reading master key
* feat(ci): add PR size label pipeline
* chore(ci): make PR label sync non-blocking
* feat(ci): add dry-run mode for PR label sync
* feat(ci): add PR label dry-run samples
* test(ci): update PR label samples with real historical merged PRs
Replaced synthetic or open PR samples with actual merged/closed PRs from the
repository to provide a more accurate reflection of the size label categorization.
Added 4 samples each for sizes S, M, and L covering docs, fixes, ci, and features.
* feat(ci): add high-level area tags for PRs
Based on user feedback, fine-grained domain labels (like `domain/base`) are too detailed for the early stages.
This change adds support for applying `area/*` tags to indicate which important top-level modules a PR touches.
Currently tracked areas:
- `area/shortcuts`
- `area/skills`
- `area/cmd`
Minor modules like docs, ci, and tests are intentionally excluded to keep tags focused on critical architectural components.
* refactor(ci): extract pr-label-sync logic to a dedicated directory
To avoid polluting the root `scripts/` directory, moved `sync_pr_labels.js` and
`sync_pr_labels.samples.json` into a new `scripts/sync-pr-labels/` folder.
Added a dedicated README to document its usage and behavior.
Updated `.github/workflows/pr-labels.yml` to reflect the new path.
* refactor(ci): rename pr label script directory for simplicity
Renamed `scripts/sync-pr-labels/` to `scripts/pr-labels/` to keep directory
names concise. Updated internal references and GitHub workflow files to point
to the new path.
* ci: add GitHub Actions workflow to check skill format
* test(ci): update sample json to include expected_areas
Added `expected_areas` lists to each sample in `samples.json` to reflect
the newly added `area/*` high-level module tagging logic. Allows testing
to accurately check both `size/*` and `area/*` outputs.
* refactor(scripts): move skill format check to isolated directory and add README
* test(scripts): add positive and negative tests for skill format check
* fix(scripts): revert skill changes and downgrade version/metadata checks to warnings
* fix(scripts): completely remove version check and skip lark-shared
* refactor(ci): improve pr-labels script readability and maintainability
- Reorganized code into logical sections with clear comments
- Encapsulated GitHub API interactions into a reusable `GitHubClient` class
- Extracted and centralized classification logic into a pure `evaluateRules` function
- Replaced magic numbers with named constants (`THRESHOLD_L`, `THRESHOLD_XL`)
- Fixed `ROOT` path resolution logic
- Simplified conditional statements and control flow
* ci: fix setup-node version in pr-labels workflow
* tmp
* refactor(ci): replace generic area labels with business-specific ones
- Add PATH_TO_AREA_MAP to map shortcuts/skills paths to business areas (im, vc, ccm, base, mail, calendar, task, contact)
- Replace importantAreas with businessAreas throughout the codebase
- Remove area/shortcuts, area/skills, area/cmd generic labels
- Now generates specific labels like area/im, area/vc, area/ccm, etc.
- Update samples.json expected_areas to match new behavior
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(ci): address PR review feedback for label scripts and workflows
- Add `edited` event to PR labels workflow to trigger on title changes
- Add security warning comment in pr-labels.yml workflow
- Update pr-labels README with latest business area labels
- Exclude `skills/lark-*` paths from low risk doc classification
- Handle renamed files properly in PR path classification
- Fix YAML frontmatter extraction to handle CRLF line endings
- Use precise regex for YAML key validation instead of substring match
- Fix exit code checking logic in skill-format-check test script
- Translate Chinese comments in skill-format-check to English
* fix(skill-format-check): address CodeRabbit review feedback
- Fix frontmatter closing delimiter detection to strictly match '---' using regex, preventing invalid closing tags like '----' from passing.
- Improve test fixture reliability by failing tests immediately if fixture preparation fails, avoiding false positives.
* fix: address review comments from PR 148
- ci: warn when PR label sync fails in job summary
- test(skill-format-check): capture validator output for negative tests
- fix(skill-format-check): catch errors when reading SKILL.md to avoid hard crashes
* fix: add error handling for directory enumeration in skill-format-check
- refactor: use `fs.readdirSync` with `{ withFileTypes: true }` to avoid extra stat calls
- fix: catch and report errors gracefully during skills directory enumeration instead of crashing
* docs(skill-format-check): clarify `metadata` requirement in README
test(pr-labels): add edge case samples for skills paths, CCM multi-paths, and renames
* test(pr-labels): add real PR edge case samples
- use PR #134 to test skill path behaviors
- use PR #57 to test multi-path CCM resolution
- use PR #11 to test track renames cross domains
* refactor(ci): migrate pr labels from area to domain prefix
- Replaced `area/` prefix with `domain/` for PR labeling to align with existing GitHub labels
- Renamed internal constants and variables from `area` to `domain` (e.g. `PATH_TO_AREA_MAP` to `PATH_TO_DOMAIN_MAP`)
- Updated `samples.json` test data to use new `domain/` format and `expected_domains` key
- Added `scripts/pr-labels/test.js` runner script for continuous validation of labeling logic against PR samples
- Corrected expected size label for PR #134 test sample
* test: use execFileSync instead of execSync in pr-labels test script
* fix: resolve target path against process.cwd() instead of __dirname in skill-format-check
* docs: correct label prefix in PR label workflow README
- Updated README.md to reflect the new `domain/` label prefix instead of `area/`
* fix(ci): fix dry-run console output formatting and enforce auth in tests
- Removed duplicate domain array interpolation in printDryRunResult
- Added process.env.GITHUB_TOKEN guard in test.js to prevent ambiguous failures from API rate limits
* fix(ci): ensure PR labels can be applied reliably
- Added `issues: write` permission to pr-labels workflow, which is strictly required by the GitHub REST API to modify labels on pull requests
- Reordered script execution in `index.js` to apply/remove labels on the PR *before* attempting to sync repository-level label definitions (colors/descriptions). The definition sync is now a trailing best-effort step with error catching so transient repo-level API failures don't abort the critical path.
* fix(ci): fix edge cases in pr-label index script
- Added missing `skills/lark-task/` to `PATH_TO_DOMAIN_MAP` to properly detect task domain modifications
- Updated GitHub REST API error checking in `syncLabelDefinition` to reliably match `error.status === 422` rather than loosely checking substring
- Moved token presence check in `main()` to happen before `resolveContext` to avoid triggering unauthenticated 401 API limits when GITHUB_TOKEN is omitted locally
* test(ci): clean up PR label test samples
- Removed duplicate PR entries (#11 and #57) to reduce redundant API calls during testing
- Renamed sample test cases to correctly reflect their expected labels (e.g. `size-l-skill-format-check` -> `size-m-skill-format-check`)
* fix(ci): bootstrap new labels before applying to PRs
- Prior changes correctly made full label sync best-effort, but broke the flow for brand new domains
- GitHub API returns a 422 error if you attempt to attach a label to an Issue/PR that does not exist in the repository
- Added a targeted bootstrap loop to create/sync specifically the labels in `toAdd` before attempting `client.addLabels()`
- Left the remaining global label synchronization as a best-effort trailing action
* test(ci): automate PR label regression testing
- Added a dedicated GitHub Actions workflow (`pr-labels-test.yml`) to automatically run `test.js` against `samples.json` whenever the labeling logic is updated
- Documented local testing instructions in `scripts/pr-labels/README.md`
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat(mail): auto-resolve local image paths in draft body HTML (#81)
Allow <img src="./local/path.png" /> in set_body/set_reply_body HTML.
Local file paths are automatically resolved into inline MIME parts with
generated CIDs, eliminating the need to manually pair add_inline with
set_body. Removing or replacing an <img> tag in the body automatically
cleans up or replaces the corresponding MIME inline part.
- Add postProcessInlineImages to unify resolve, validate, and orphan
cleanup into a single post-processing step
- Extract loadAndAttachInline shared helper to deduplicate addInline
and resolveLocalImgSrc logic
- Cache resolved paths so the same file is only attached once
- Use whitelist URI scheme detection instead of blacklist
- Remove dead validateInlineCIDAfterApply and
validateOrphanedInlineCIDAfterApply functions
Closes#81
* fix(mail): harden inline image CID handling
1. Fix imgSrcRegexp to skip attribute names like data-src/x-src that
contain "src" as a suffix — only match the real src attribute.
2. Sanitize cidFromFileName to replace whitespace with hyphens,
producing RFC-safe CID tokens (e.g. "my logo.png" → "my-logo").
3. Add CID validation in newInlinePart to reject spaces, tabs, angle
brackets, and parentheses — fail fast instead of silently producing
broken inline images in the sent email.
* refactor(mail): use UUID for auto-generated inline CIDs
Replace filename-derived CID generation (cidFromFileName + uniqueCID)
with UUID-based generation. UUIDs contain only [0-9a-f-] characters,
eliminating all RFC compliance risks from special characters, Unicode,
or filename collisions. Same-file deduplication via pathToCID cache
is preserved — multiple <img> tags referencing the same file still
share one MIME part and one CID.
* fix(mail): avoid panic in generateCID by using uuid.NewRandom
uuid.New() calls Must(NewRandom()) which panics if the random source
fails. Replace with uuid.NewRandom() and propagate the error through
resolveLocalImgSrc, so the CLI returns a clear error instead of
crashing in extreme environments.
* fix(mail): restore quote block hint in set_reply_body template description
The auto-resolve PR accidentally dropped "the quote block is
re-appended automatically" from the set_reply_body shape description.
Restore it alongside the new local-path support note.
* fix(mail): add orphan invariant comment and expand regex test coverage
- Add comment in postProcessInlineImages explaining that partially
attached inline parts on error are cleaned up by the next Apply.
- Add regex test cases: single-quoted src, multiple spaces before src,
and newline before src.
* fix(mail): use consistent inline predicate and safer HTML part lookup
1. removeOrphanedInlineParts: change condition from
ContentDisposition=="inline" && ContentID!="" to
isInlinePart(child) && ContentID!="", matching the predicate used
elsewhere — parts with only a ContentID (no Content-Disposition)
are now correctly cleaned up.
2. postProcessInlineImages: use findPrimaryBodyPart instead of
findPart(snapshot.Body, PrimaryHTMLPartID) to avoid stale PartID
after ops restructure the MIME tree.
* fix(mail): revert orphan cleanup to ContentDisposition check to protect HTML body
The previous change (d3d1982) broadened the orphan cleanup predicate to
isInlinePart(), which treats any part with a ContentID as inline. This
deletes the primary HTML body when it carries a Content-ID header
(valid in multipart/related), even on metadata-only edits like
set_subject.
Revert to the original ContentDisposition=="inline" && ContentID!=""
condition — only parts explicitly marked as inline attachments are
candidates for orphan removal. Add regression test covering
multipart/related with a Content-ID-bearing HTML body.
* fix: Fix the issue where the URL returned by the "lark-cli auth login --no-wait" command contains \u0026
* style: fix indentation and whitespace in error handling code
* fix(auth): handle JSON encoding errors in login output
* docs(cmd/auth): add comment for authLoginRun function
Add non-blocking update check that queries the npm registry for the
latest @larksuite/cli version. Results are cached locally (24h TTL)
to avoid repeated network requests.
When a newer version is detected, a `_notice.update` field is injected
into all JSON output envelopes (success, error, and shortcut responses),
enabling AI agents and scripts to surface upgrade prompts.
Key changes:
- New `internal/update` package: registry fetch, semver compare, cache
- Async check in root command (cache-first, then background refresh)
- `_notice` field added to Envelope/ErrorEnvelope structs
- `PrintJson` injects notice into map-based envelopes with "ok" key
- `doctor` command gains cli_version and cli_update checks
- Suppressed for CI, DEV builds, shell completion, and git-describe versions
* feat: add npm publish job to release workflow
Change-Id: Ibfae2af6bd2aabf09936c96d21964af98b77c127
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: bump package version to 1.0.1
Change-Id: Ifb58789be5621ab4979b5fe60e0e30042e07fea8
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs(base): clarify field description usage in json
* chore(base docs): clarify field description usage
* docs(base): add description to field schema
Add workflows, forms, roles & permissions to the Base feature description
across READMEs and service registry to accurately reflect full coverage.
Co-authored-by: dengfanxin <dengfanxin.dfx@bytedance.com>
* docs: add official badge and maintainer attribution to README
Many third-party Feishu/Lark CLI tools exist, causing confusion
about which is the official one. Add an "Official" badge and a
blockquote clearly stating this repo is maintained by the
Lark/Feishu Open Platform team at larksuite.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: use 飞书官方 CLI 工具 in Chinese README
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: merge official attribution into description, drop Open Platform wording
Remove the separate blockquote and fold official status into the
main description line. Also remove "Open Platform" — this is
the Lark/Feishu CLI tool, not an "Open Platform CLI tool".
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: remove self-made Official badge
No major official repo (OpenAI, Anthropic, Stripe, AWS, HashiCorp)
uses a custom shields.io "Official" badge — anyone can make one, so
it signals nothing. The org namespace (larksuite/) and the "official"
wording in the description are sufficient.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: remove sensitive send scope from reply and forward shortcuts
Remove mail:user_mailbox.message:send from the required scopes of
+reply, +reply-all, and +forward shortcuts. This scope is sensitive
and may not be granted, while these shortcuts default to saving
drafts and do not strictly require it.
* fix: validate send scope dynamically when --confirm-send is set
Add validateConfirmSendScope() to check mail:user_mailbox.message:send
in the Validate phase when --confirm-send is used, preventing the
"draft created but send failed" scenario. Add regression tests for
+reply, +reply-all, and +forward.
MarkRaw previously skipped both enrichPermissionError and
WriteErrorEnvelope, causing api command to exit 1 with no output
on API errors. Now MarkRaw only skips enrichPermissionError while
WriteErrorEnvelope always runs, ensuring stderr error envelope is
always written.
- Simplify apiRun MarkRaw logic (remove unnecessary IsJSONContentType check)
- Update existing tests to match new behavior
- Add 5 e2e tests covering api/service/shortcut error output
* ci: improve CI workflows and add golangci-lint config
- Add path filters to avoid unnecessary CI runs on non-Go changes
- Use go-version-file instead of hardcoded Go version
- Unify runners to ubuntu-latest
- Consolidate staticcheck/vet into golangci-lint with curated linter set
- Add go mod tidy check, govulncheck, and dependency license check
- Enable race detector in coverage, increase test timeout to 5m
- Add build verification step to tests workflow
- Add .codecov.yml with patch coverage target (60%)
- Add .golangci.yml (v2) with security and correctness linters
Change-Id: I409beb21cc1f1568ff47739c0a00f6214c10a0dd
* ci: replace Codecov upload with GitHub Job Summary coverage report
- Remove Codecov action dependency and CODECOV_TOKEN usage
- Generate coverage report using go tool cover and display in Job Summary
- Rename job from 'codecov' to 'coverage'
- Remove .codecov.yml from paths filter
Change-Id: Ib65dab6c4d7117c3300a9ea31eb1550537c72f88
* ci: trigger lint workflow
Change-Id: Ic1c492dd339f5460d2be2971ac65ea8f99e524eb
* ci: replace golangci-lint action with go run to avoid action whitelist restriction
Change-Id: I87274abf9780eb8b6350e98a27302ec5acc2a2e5
* ci: replace golangci-lint action with go run, keep incremental lint via --new-from-rev
Change-Id: I3d4a13cfd7b6c02e4098b04b8533a7248185c077
* ci: add fetch-depth 0 to lint checkout for incremental lint to work
Change-Id: I112279c5ec06dc0aa3aa7e01d564ea27fbd20533
* ci: disable errcheck linter due to high volume of existing violations
Change-Id: Iec57e8fbe42699f687d931d9dde2f879f2ae5b02
* ci: align golangci-lint config with GitHub CLI, make govulncheck non-blocking
- Add exptostd, gocheckcompilerdirectives, gochecksumtype, gomoddirectives linters
- Move gosec, staticcheck, errname, errorlint, misspell to TODO for later enablement
- Remove G104 exclusion (errcheck is disabled)
- Make govulncheck continue-on-error until Go version is upgraded
Change-Id: I330ece4f202229aee1e2f50790f6b22738704c05
* ci: fix go-licenses module path for v2
Change-Id: Ifd018ebe79cd18402171417b1b73313af2d23c6d
Combine the separate "Install CLI" and "Install AI Agent Skills" sections
into a single "Install" section for both human and AI Agent quick start
guides. Renumber the AI Agent steps accordingly.
Change-Id: I4ac10538d912a8889f52ea5a85e757d3e8bad21e
Add npm version badge to both README files for better package
discoverability. Reword the Quick Start tip to directly address
AI assistants instead of human users.
Change-Id: I9fb4252e4a7bde4ab6644c6ca6e63dc5d34b6f0c
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: emphasize Skills installation as required step for AI Agents
Split the AI Agent quick start from a single code block into separate
labeled steps, and add a prominent note explaining that without Skills
the Agent cannot discover available commands or parameters.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: position Skills installation as the core step of the setup
Reword the Skills step to convey that it is the most important part of
the entire setup — the CLI is just a binary, Skills are what give the
Agent the knowledge to operate Lark.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: tone down Skills step wording, keep it concise
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>