mirror of
https://github.com/larksuite/cli.git
synced 2026-07-06 00:06:28 +08:00
Building the command tree resolved brand (auth login --domain help) and strict mode (per-command identity-flag registration via ResolveStrictMode) through f.Config(), which decrypts the app secret. On macOS that is a Keychain (securityd IPC) read on every invocation -- even --help/--version/ schema/completion, which never use the secret. brand and strict mode are plain config.json fields, so route them through a secret-free metadata path: - credential: add (*DefaultAccountProvider).ResolveMeta and a cached (*CredentialProvider).ResolveMeta returning brand + SupportedIdentities, via an optional metaResolver capability; external providers fall back to ResolveAccount (they do not touch the keychain). - cmdutil: ResolveStrictMode now uses ResolveMeta; add Factory.ConfigBrand. - auth login help text and shortcut registration read ConfigBrand. The app secret is still decrypted on demand when a command actually calls the API (auth status etc. unchanged). Measured on macOS (GOMAXPROCS=1): lark-cli --help 35.4ms -> 21.4ms (-40%); no behavior change on Linux/Windows (local secret backends are cheap).