Every failure on the authentication, authorization, and configuration
path now surfaces as a typed structured error instead of an ad-hoc
envelope. Users and scripts that consume CLI output get:
- a fixed nine-category taxonomy on the wire, each mapped to a
stable shell exit code (authentication/authorization/config = 3,
network = 4, internal = 5, policy = 6, confirmation = 10)
- identity-aware detail fields (missing_scopes, requested_scopes,
granted_scopes, console_url, log_id, retryable, hint) carried
uniformly on the envelope
- a single canonical policy envelope at exit 6; the legacy
auth_error carve-out is retired
- per-subtype canonical message + hint that preserves Lark's
diagnostic phrasing and routes recovery to the right actor:
app developer (app_scope_not_applied), user (missing_scope,
token_scope_insufficient, user_unauthorized), or tenant admin
(app_unavailable, app_disabled)
- wrong app credentials classify as config/invalid_client whether
surfaced by the Open API endpoint (99991543) or the tenant
access-token mint endpoint (10003 / 10014), instead of
collapsing to a transport error or api/unknown
- local shortcut scope preflight emits the same
authorization/missing_scope envelope (identity + deterministic
missing-scope set) used by the post-call permission path, so AI
consumers read the same structured shape from precheck and from
server-returned permission denial
- streaming download/upload failures keep the same network subtype
split (timeout / TLS / DNS / transport) as the non-stream path
instead of collapsing every cause to a generic transport failure
- console_url is carried only on the bot-perspective
app_scope_not_applied envelope (where the recovery action is
"developer applies the scope at the developer console"); the
user-perspective missing_scope envelope drops the field, since
the only actionable user recovery is `lark-cli auth login --scope`
and pointing an end user at a console they cannot modify is
misleading
- bind workflows (Hermes / OpenClaw / lark-channel) flatten dynamic
Type tags to wire 'config' with the original module name kept
as a metric label
All 10 typed errors are cause-bearing, nil-safe on .Error() and
.Unwrap(), and defensively clone slice setter inputs. Four lint
rules (CheckNilSafeError / CheckBuilderImmutable / CheckUnwrapSymmetry
/ CheckBuildAPIErrorArms) lock these invariants on migrated paths.
lint/
Source-level static checks that guard lark-cli conventions golangci-lint
cannot express. Each lint domain is a sibling Go package under lint/;
the top-level lint/main.go aggregates results and emits a single
exit code.
lint/ is its own Go module so its golang.org/x/tools/go/packages
dependency does not leak into the shipped lark-cli binary's module
graph.
Layout
lint/
├── go.mod # module github.com/larksuite/cli/lint
├── go.sum
├── main.go # package main — dispatches to every registered domain
├── lintapi/ # shared types every domain returns
│ └── violation.go # Violation, Action, ActionReject / ActionLabel / ActionWarning
└── errscontract/ # first domain: typed-error contract guards
├── scan.go # ScanRepo(root) ([]lintapi.Violation, error) ← public entry
├── runner.go
├── typecheck.go
├── violation.go # local type aliases to lintapi
├── rule_problem_embed.go
├── rule_no_registrar.go
├── rule_adhoc_subtype.go
├── rule_declared_subtype.go
├── rule_subtype_classifier.go
├── rule_typed_error_completeness.go
└── *_test.go
Running
# from the repo root (one level above lint/)
go run -C lint . ..
-C lint switches Go's working directory to lint/; the .. argument
is the repo root to scan (relative to lint/).
CI: .github/workflows/ci.yml step Run errs/ lint guards (lintcheck).
Exit codes follow lint/main.go:
| Code | Meaning |
|---|---|
| 0 | no REJECT diagnostics (LABEL / WARNING are advisory) |
| 1 | one or more REJECT diagnostics |
| 2 | a domain's ScanRepo returned an error |
Adding a new lint domain
-
Create a sibling package:
lint/<domain>/. Pick a name that reads like a category, not a list of rules (errscontract/covers many error-contract rules;flagnaming/would cover many flag-related rules). -
Inside the new package, expose one public entry:
package <domain> import "github.com/larksuite/cli/lint/lintapi" // ScanRepo walks root and returns every violation produced by this // domain's checks. Domains MUST return []lintapi.Violation so the // top-level dispatcher can aggregate uniformly. func ScanRepo(root string) ([]lintapi.Violation, error) { ... } -
Per-rule files are named
rule_<name>.gowith siblingrule_<name>_test.go. Each rule function returns[]lintapi.Violation.runner.go(orscan.go) composes the rules. -
Register the domain in
lint/main.go:var scanners = []scanner{ {name: "errscontract", fn: errscontract.ScanRepo}, {name: "<domain>", fn: <domain>.ScanRepo}, // ← add here } -
Verify locally:
go test -C lint ./... # all domains' tests go run -C lint . .. # full scan against the repo -
Document the rules. If they enforce a contract that already has a spec (e.g.
errs/ERROR_CONTRACT.md), add the lint entry to that contract's "CI guards" table. Otherwise create a short spec alongside the package.
Rule severity conventions (lintapi.Action)
| Action | Effect | When to use |
|---|---|---|
ActionReject |
exit 1, fails CI | a contract violation that must be fixed before merge |
ActionLabel |
stderr only; CI can grep for [needs-taxonomy-decision] and label the PR |
governance signal that asks a human to choose (e.g. ad_hoc_* subtype needs a taxonomy decision) |
ActionWarning |
stderr only | advisory hint surfaced to reviewers (typed scope unavailable, fallback to AST-only, etc.) — never gates merges |
Only ActionReject contributes to a nonzero exit code; ActionLabel
and ActionWarning are reviewer signal only.