secplugin Usage Guide
Chinese version: see README.zh-CN.md.
secplugin enables a secure proxy mode for the CLI. It forces outbound HTTP(S)
requests to go through a local security proxy and can optionally trust an
additional CA certificate bundle.
It supports two configuration methods:
sec_config.jsonLARKSUITE_CLI_SEC_*environment variables
Config File Location
Default config file path:
~/.lark-cli/sec_config.json
If LARKSUITE_CLI_CONFIG_DIR is set, the path becomes:
$LARKSUITE_CLI_CONFIG_DIR/sec_config.json
Option 1: Config File
Put the following content into sec_config.json:
{
"LARKSUITE_CLI_SEC_ENABLE": true,
"LARKSUITE_CLI_SEC_PROXY": "http://127.0.0.1:3128",
"LARKSUITE_CLI_SEC_CA": "/absolute/path/to/proxy-ca.pem",
"LARKSUITE_CLI_SEC_AUTH": true,
"LARKSUITE_CLI_APP_ID": "cli_xxx",
"LARKSUITE_CLI_BRAND": "feishu",
"LARKSUITE_CLI_DEFAULT_AS": "bot",
"LARKSUITE_CLI_STRICT_MODE": "bot"
}
Field descriptions:
LARKSUITE_CLI_SEC_ENABLE: Enables secplugin. Boolean values are supported.LARKSUITE_CLI_SEC_PROXY: Local HTTP proxy address. It must behttp://127.0.0.1:<port>.LARKSUITE_CLI_SEC_CA: Absolute path to an extra trusted root CA PEM file. Leave empty if not needed.LARKSUITE_CLI_SEC_AUTH: Enables proxy-injected token mode.LARKSUITE_CLI_APP_ID: Optional app ID used inSEC_AUTHmode.LARKSUITE_CLI_BRAND: Optional, must befeishuorlark.LARKSUITE_CLI_DEFAULT_AS: Optional, must beuser,bot, orauto.LARKSUITE_CLI_STRICT_MODE: Optional, must beuser,bot, oroff.
Option 2: Environment Variables
You can also enable secplugin directly with environment variables without
creating sec_config.json:
export LARKSUITE_CLI_SEC_ENABLE=true
export LARKSUITE_CLI_SEC_PROXY=http://127.0.0.1:3128
export LARKSUITE_CLI_SEC_CA=/absolute/path/to/proxy-ca.pem
export LARKSUITE_CLI_SEC_AUTH=true
If you want to provide app metadata in SEC_AUTH mode, set these as well:
export LARKSUITE_CLI_APP_ID=cli_xxx
export LARKSUITE_CLI_BRAND=feishu
export LARKSUITE_CLI_DEFAULT_AS=bot
export LARKSUITE_CLI_STRICT_MODE=bot
Precedence
The following environment variables override the corresponding fields in
sec_config.json when they are present:
LARKSUITE_CLI_SEC_ENABLELARKSUITE_CLI_SEC_PROXYLARKSUITE_CLI_SEC_CALARKSUITE_CLI_SEC_AUTHLARKSUITE_CLI_APP_IDLARKSUITE_CLI_BRANDLARKSUITE_CLI_DEFAULT_ASLARKSUITE_CLI_STRICT_MODE
This means:
- Put stable defaults in
sec_config.json. - Use environment variables for temporary overrides.
- SEC-related environment variables can work even without a config file.
SEC_AUTH Mode
The CLI enters SEC_AUTH mode when both of the following are true:
LARKSUITE_CLI_SEC_ENABLE=true
LARKSUITE_CLI_SEC_AUTH=true
In this mode, the CLI does not read real tokens directly. Instead, it returns placeholder tokens and expects the proxy to replace them with real credentials.
App information is resolved in this order:
LARKSUITE_CLI_APP_IDandLARKSUITE_CLI_BRANDfrom environment variables- The same fields in
sec_config.json - The active profile in the regular CLI
config.json
If no valid app information can be resolved from any source, the command fails.
Constraints
LARKSUITE_CLI_SEC_PROXYmust use thehttpscheme only.- The host of
LARKSUITE_CLI_SEC_PROXYmust be127.0.0.1. LARKSUITE_CLI_SEC_PROXYmust not contain a path.LARKSUITE_CLI_SEC_CAmust be an absolute path to a PEM file.- Boolean values support
true/false,1/0,on/off,yes/no, andy/n.
Recommendations
For long-term stable setup, prefer sec_config.json:
- Good for developer machines or controlled environments.
- Avoids repeatedly injecting environment variables into the shell.
For temporary debugging, prefer environment variables:
- Good for switching proxy or CA for just one session.
- No need to modify files on disk.