Files
larksuite-cli/lint/errscontract/rule_builder_immutable.go
evandance 99e314fe0b feat(errs): typed envelope contract for auth-domain errors (#1135)
Every failure on the authentication, authorization, and configuration
path now surfaces as a typed structured error instead of an ad-hoc
envelope. Users and scripts that consume CLI output get:

  - a fixed nine-category taxonomy on the wire, each mapped to a
    stable shell exit code (authentication/authorization/config = 3,
    network = 4, internal = 5, policy = 6, confirmation = 10)
  - identity-aware detail fields (missing_scopes, requested_scopes,
    granted_scopes, console_url, log_id, retryable, hint) carried
    uniformly on the envelope
  - a single canonical policy envelope at exit 6; the legacy
    auth_error carve-out is retired
  - per-subtype canonical message + hint that preserves Lark's
    diagnostic phrasing and routes recovery to the right actor:
    app developer (app_scope_not_applied), user (missing_scope,
    token_scope_insufficient, user_unauthorized), or tenant admin
    (app_unavailable, app_disabled)
  - wrong app credentials classify as config/invalid_client whether
    surfaced by the Open API endpoint (99991543) or the tenant
    access-token mint endpoint (10003 / 10014), instead of
    collapsing to a transport error or api/unknown
  - local shortcut scope preflight emits the same
    authorization/missing_scope envelope (identity + deterministic
    missing-scope set) used by the post-call permission path, so AI
    consumers read the same structured shape from precheck and from
    server-returned permission denial
  - streaming download/upload failures keep the same network subtype
    split (timeout / TLS / DNS / transport) as the non-stream path
    instead of collapsing every cause to a generic transport failure
  - console_url is carried only on the bot-perspective
    app_scope_not_applied envelope (where the recovery action is
    "developer applies the scope at the developer console"); the
    user-perspective missing_scope envelope drops the field, since
    the only actionable user recovery is `lark-cli auth login --scope`
    and pointing an end user at a console they cannot modify is
    misleading
  - bind workflows (Hermes / OpenClaw / lark-channel) flatten dynamic
    Type tags to wire 'config' with the original module name kept
    as a metric label

All 10 typed errors are cause-bearing, nil-safe on .Error() and
.Unwrap(), and defensively clone slice setter inputs. Four lint
rules (CheckNilSafeError / CheckBuilderImmutable / CheckUnwrapSymmetry
/ CheckBuildAPIErrorArms) lock these invariants on migrated paths.
2026-05-30 19:08:41 +08:00

164 lines
4.8 KiB
Go

// Copyright (c) 2026 Lark Technologies Pte. Ltd.
// SPDX-License-Identifier: MIT
package errscontract
import (
"go/ast"
"go/parser"
"go/token"
"strings"
)
// CheckBuilderImmutable enforces builder immutability: a `With*` method on
// a typed *Error must not stash a caller-provided slice or map directly
// into a receiver field. The caller can later mutate the slice/map
// (append, delete) and silently corrupt the already-emitted typed envelope.
//
// Required shape — defensive clone:
//
// func (e *PermissionError) WithMissingScopes(scopes ...string) *PermissionError {
// e.MissingScopes = slices.Clone(scopes)
// return e
// }
//
// Violating shape — raw assignment:
//
// func (e *PermissionError) WithMissingScopes(scopes ...string) *PermissionError {
// e.MissingScopes = scopes
// return e
// }
//
// Detection strategy (AST-only, no type info):
// - Method name starts with "With" and takes at least one parameter
// - One parameter is a slice (`[]T`), variadic (`...T`), or map (`map[K]V`)
// - The method body contains `e.<Field> = <paramName>` where <paramName>
// is exactly the slice/map parameter, with no slices.Clone / maps.Clone
// wrapper.
//
// Scope: errs/ package files (typed builders live there).
//
// Returns REJECT violations.
func CheckBuilderImmutable(path, src string) []Violation {
if !isErrsPackagePath(path) {
return nil
}
fset := token.NewFileSet()
file, err := parser.ParseFile(fset, path, src, parser.ParseComments)
if err != nil {
return nil
}
var out []Violation
for _, decl := range file.Decls {
fn, ok := decl.(*ast.FuncDecl)
if !ok || fn.Recv == nil || fn.Body == nil {
continue
}
if fn.Name == nil || !strings.HasPrefix(fn.Name.Name, "With") {
continue
}
// Only fire on methods whose receiver is a typed *Error from this package.
recvType := receiverTypeName(fn.Recv.List[0].Type)
if recvType == "" || !strings.HasSuffix(recvType, "Error") || recvType == "Error" {
continue
}
refParams := collectReferenceTypeParams(fn.Type)
if len(refParams) == 0 {
continue
}
out = append(out, scanBuilderBody(path, fset, fn, refParams)...)
}
return out
}
// collectReferenceTypeParams returns the names of parameters whose type
// is a slice, variadic, or map (the reference-mutable shapes the rule
// guards). Pointer-to-slice / pointer-to-map are also considered.
func collectReferenceTypeParams(ft *ast.FuncType) map[string]struct{} {
out := map[string]struct{}{}
if ft.Params == nil {
return out
}
for _, field := range ft.Params.List {
if !isReferenceType(field.Type) {
continue
}
for _, n := range field.Names {
if n.Name != "" && n.Name != "_" {
out[n.Name] = struct{}{}
}
}
}
return out
}
// isReferenceType reports whether expr names a slice, variadic, or map.
// Pointer-to-slice / map are also reference-typed for our purposes.
func isReferenceType(expr ast.Expr) bool {
switch t := expr.(type) {
case *ast.ArrayType:
// nil Len → slice (`[]T`). Fixed-length arrays are value types.
return t.Len == nil
case *ast.MapType:
return true
case *ast.Ellipsis:
return true
case *ast.StarExpr:
return isReferenceType(t.X)
}
return false
}
// scanBuilderBody walks fn.Body and emits a violation for each
// `recv.<Field> = <param>` assignment whose RHS is a bare reference-
// typed parameter (not wrapped in slices.Clone / maps.Clone).
func scanBuilderBody(path string, fset *token.FileSet, fn *ast.FuncDecl, refParams map[string]struct{}) []Violation {
var out []Violation
recvName := ""
if len(fn.Recv.List[0].Names) > 0 {
recvName = fn.Recv.List[0].Names[0].Name
}
ast.Inspect(fn.Body, func(n ast.Node) bool {
assign, ok := n.(*ast.AssignStmt)
if !ok || (assign.Tok != token.ASSIGN && assign.Tok != token.DEFINE) {
return true
}
if len(assign.Lhs) != 1 || len(assign.Rhs) != 1 {
return true
}
// LHS must be `recv.Field`.
sel, ok := assign.Lhs[0].(*ast.SelectorExpr)
if !ok {
return true
}
if recvName != "" && !isIdent(sel.X, recvName) {
return true
}
// RHS must be a bare reference-typed parameter ident with no
// defensive Clone wrapper.
paramID, ok := assign.Rhs[0].(*ast.Ident)
if !ok {
return true
}
if _, isRef := refParams[paramID.Name]; !isRef {
return true
}
fieldName := ""
if sel.Sel != nil {
fieldName = sel.Sel.Name
}
out = append(out, Violation{
Rule: "builder_immutable",
Action: ActionReject,
File: path,
Line: fset.Position(assign.Pos()).Line,
Message: fn.Name.Name + " stashes caller-owned " + paramID.Name + " into " + fieldName + " without defensive copy",
Suggestion: "wrap the assignment with slices.Clone / maps.Clone (e.g. `" +
sel.Sel.Name + " = slices.Clone(" + paramID.Name + ")`); raw assignment lets the caller mutate the already-emitted typed envelope",
})
return true
})
return out
}