Files
larksuite-cli/lint/errscontract/rule_nil_safe_error.go
evandance 99e314fe0b feat(errs): typed envelope contract for auth-domain errors (#1135)
Every failure on the authentication, authorization, and configuration
path now surfaces as a typed structured error instead of an ad-hoc
envelope. Users and scripts that consume CLI output get:

  - a fixed nine-category taxonomy on the wire, each mapped to a
    stable shell exit code (authentication/authorization/config = 3,
    network = 4, internal = 5, policy = 6, confirmation = 10)
  - identity-aware detail fields (missing_scopes, requested_scopes,
    granted_scopes, console_url, log_id, retryable, hint) carried
    uniformly on the envelope
  - a single canonical policy envelope at exit 6; the legacy
    auth_error carve-out is retired
  - per-subtype canonical message + hint that preserves Lark's
    diagnostic phrasing and routes recovery to the right actor:
    app developer (app_scope_not_applied), user (missing_scope,
    token_scope_insufficient, user_unauthorized), or tenant admin
    (app_unavailable, app_disabled)
  - wrong app credentials classify as config/invalid_client whether
    surfaced by the Open API endpoint (99991543) or the tenant
    access-token mint endpoint (10003 / 10014), instead of
    collapsing to a transport error or api/unknown
  - local shortcut scope preflight emits the same
    authorization/missing_scope envelope (identity + deterministic
    missing-scope set) used by the post-call permission path, so AI
    consumers read the same structured shape from precheck and from
    server-returned permission denial
  - streaming download/upload failures keep the same network subtype
    split (timeout / TLS / DNS / transport) as the non-stream path
    instead of collapsing every cause to a generic transport failure
  - console_url is carried only on the bot-perspective
    app_scope_not_applied envelope (where the recovery action is
    "developer applies the scope at the developer console"); the
    user-perspective missing_scope envelope drops the field, since
    the only actionable user recovery is `lark-cli auth login --scope`
    and pointing an end user at a console they cannot modify is
    misleading
  - bind workflows (Hermes / OpenClaw / lark-channel) flatten dynamic
    Type tags to wire 'config' with the original module name kept
    as a metric label

All 10 typed errors are cause-bearing, nil-safe on .Error() and
.Unwrap(), and defensively clone slice setter inputs. Four lint
rules (CheckNilSafeError / CheckBuilderImmutable / CheckUnwrapSymmetry
/ CheckBuildAPIErrorArms) lock these invariants on migrated paths.
2026-05-30 19:08:41 +08:00

181 lines
5.2 KiB
Go

// Copyright (c) 2026 Lark Technologies Pte. Ltd.
// SPDX-License-Identifier: MIT
package errscontract
import (
"go/ast"
"go/parser"
"go/token"
"strings"
)
// CheckNilSafeError enforces that every typed *Error struct embedding
// Problem by value defines its own pointer-receiver Error() method whose
// first statement is a nil-receiver guard returning "".
//
// Why: the embedded Problem provides Error() via promotion, but a typed-
// nil interface holder (`var e *XxxError; var err error = e`) bypasses
// the promoted method's receiver guard and panics on err.Error().
// Each typed wrapper therefore needs its own nil-safe override.
//
// Scope: errs/ package files. Unexported helper structs are skipped —
// they are not part of the public taxonomy.
//
// Returns REJECT violations.
func CheckNilSafeError(path, src string) []Violation {
if !isErrsPackagePath(path) {
return nil
}
fset := token.NewFileSet()
file, err := parser.ParseFile(fset, path, src, parser.ParseComments)
if err != nil {
return nil
}
// Collect every exported struct embedding Problem-by-value.
embedders := collectProblemEmbedders(file)
if len(embedders) == 0 {
return nil
}
// Find all Error() methods defined on those types (pointer or value receiver).
errorMethods := collectMethodsNamed(file, "Error")
var out []Violation
for name, pos := range embedders {
fn, ok := errorMethods[name]
if !ok {
out = append(out, Violation{
Rule: "nil_safe_error",
Action: ActionReject,
File: path,
Line: fset.Position(pos).Line,
Message: "typed error " + name + " embeds Problem by value but defines no own Error() — typed-nil holders will panic via promoted method",
Suggestion: "add `func (e *" + name + ") Error() string { if e == nil { return \"\" }; return e.Problem.Error() }` " +
"so an interface holding a typed-nil pointer returns \"\" instead of panicking",
})
continue
}
if !hasNilReceiverGuard(fn) {
out = append(out, Violation{
Rule: "nil_safe_error",
Action: ActionReject,
File: path,
Line: fset.Position(fn.Pos()).Line,
Message: "typed error " + name + ".Error() lacks `if e == nil { return \"\" }` nil-receiver guard",
Suggestion: "first statement of " + name + ".Error() must be the nil-receiver guard so typed-nil holders cannot panic",
})
}
}
return out
}
// collectProblemEmbedders returns the map of exported *Error struct names
// in the file that embed Problem (by value) → declaration position.
func collectProblemEmbedders(file *ast.File) map[string]token.Pos {
out := map[string]token.Pos{}
ast.Inspect(file, func(n ast.Node) bool {
ts, ok := n.(*ast.TypeSpec)
if !ok {
return true
}
st, ok := ts.Type.(*ast.StructType)
if !ok {
return true
}
name := ts.Name.Name
if !ast.IsExported(name) || !strings.HasSuffix(name, "Error") || name == "Error" {
return true
}
if !embedsProblem(st) {
return true
}
out[name] = ts.Pos()
return true
})
return out
}
// collectMethodsNamed returns receiver-type name → FuncDecl for every
// method whose declared name matches methodName. The receiver type may
// be either `T` or `*T`; both forms are recorded under "T".
func collectMethodsNamed(file *ast.File, methodName string) map[string]*ast.FuncDecl {
out := map[string]*ast.FuncDecl{}
for _, decl := range file.Decls {
fn, ok := decl.(*ast.FuncDecl)
if !ok || fn.Recv == nil || len(fn.Recv.List) == 0 {
continue
}
if fn.Name == nil || fn.Name.Name != methodName {
continue
}
recv := receiverTypeName(fn.Recv.List[0].Type)
if recv == "" {
continue
}
out[recv] = fn
}
return out
}
// receiverTypeName extracts T from a method receiver expression (`T` or `*T`).
func receiverTypeName(expr ast.Expr) string {
switch t := expr.(type) {
case *ast.Ident:
return t.Name
case *ast.StarExpr:
if id, ok := t.X.(*ast.Ident); ok {
return id.Name
}
}
return ""
}
// hasNilReceiverGuard reports whether the first statement of fn is the
// canonical `if e == nil { return ... }` guard. The receiver name is read
// from fn.Recv so the check is robust to renamed receivers.
func hasNilReceiverGuard(fn *ast.FuncDecl) bool {
if fn.Body == nil || len(fn.Body.List) == 0 {
return false
}
recvName := ""
if len(fn.Recv.List) > 0 && len(fn.Recv.List[0].Names) > 0 {
recvName = fn.Recv.List[0].Names[0].Name
}
if recvName == "" {
return false
}
ifs, ok := fn.Body.List[0].(*ast.IfStmt)
if !ok {
return false
}
bin, ok := ifs.Cond.(*ast.BinaryExpr)
if !ok || bin.Op != token.EQL {
return false
}
// Accept either `recv == nil` or `nil == recv`.
if !isIdent(bin.X, recvName) || !isIdent(bin.Y, "nil") {
if !isIdent(bin.Y, recvName) || !isIdent(bin.X, "nil") {
return false
}
}
// Body must contain a ReturnStmt (we don't require empty-string return —
// some types return a more specific sentinel; the contract is "return
// without dereferencing the nil receiver").
if ifs.Body == nil {
return false
}
for _, stmt := range ifs.Body.List {
if _, ok := stmt.(*ast.ReturnStmt); ok {
return true
}
}
return false
}
func isIdent(expr ast.Expr, name string) bool {
id, ok := expr.(*ast.Ident)
return ok && id.Name == name
}