mirror of
https://github.com/larksuite/cli.git
synced 2026-07-03 14:02:43 +08:00
Every failure on the authentication, authorization, and configuration
path now surfaces as a typed structured error instead of an ad-hoc
envelope. Users and scripts that consume CLI output get:
- a fixed nine-category taxonomy on the wire, each mapped to a
stable shell exit code (authentication/authorization/config = 3,
network = 4, internal = 5, policy = 6, confirmation = 10)
- identity-aware detail fields (missing_scopes, requested_scopes,
granted_scopes, console_url, log_id, retryable, hint) carried
uniformly on the envelope
- a single canonical policy envelope at exit 6; the legacy
auth_error carve-out is retired
- per-subtype canonical message + hint that preserves Lark's
diagnostic phrasing and routes recovery to the right actor:
app developer (app_scope_not_applied), user (missing_scope,
token_scope_insufficient, user_unauthorized), or tenant admin
(app_unavailable, app_disabled)
- wrong app credentials classify as config/invalid_client whether
surfaced by the Open API endpoint (99991543) or the tenant
access-token mint endpoint (10003 / 10014), instead of
collapsing to a transport error or api/unknown
- local shortcut scope preflight emits the same
authorization/missing_scope envelope (identity + deterministic
missing-scope set) used by the post-call permission path, so AI
consumers read the same structured shape from precheck and from
server-returned permission denial
- streaming download/upload failures keep the same network subtype
split (timeout / TLS / DNS / transport) as the non-stream path
instead of collapsing every cause to a generic transport failure
- console_url is carried only on the bot-perspective
app_scope_not_applied envelope (where the recovery action is
"developer applies the scope at the developer console"); the
user-perspective missing_scope envelope drops the field, since
the only actionable user recovery is `lark-cli auth login --scope`
and pointing an end user at a console they cannot modify is
misleading
- bind workflows (Hermes / OpenClaw / lark-channel) flatten dynamic
Type tags to wire 'config' with the original module name kept
as a metric label
All 10 typed errors are cause-bearing, nil-safe on .Error() and
.Unwrap(), and defensively clone slice setter inputs. Four lint
rules (CheckNilSafeError / CheckBuilderImmutable / CheckUnwrapSymmetry
/ CheckBuildAPIErrorArms) lock these invariants on migrated paths.
164 lines
4.8 KiB
Go
164 lines
4.8 KiB
Go
// Copyright (c) 2026 Lark Technologies Pte. Ltd.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package errscontract
|
|
|
|
import (
|
|
"go/ast"
|
|
"go/parser"
|
|
"go/token"
|
|
"strings"
|
|
)
|
|
|
|
// CheckBuilderImmutable enforces builder immutability: a `With*` method on
|
|
// a typed *Error must not stash a caller-provided slice or map directly
|
|
// into a receiver field. The caller can later mutate the slice/map
|
|
// (append, delete) and silently corrupt the already-emitted typed envelope.
|
|
//
|
|
// Required shape — defensive clone:
|
|
//
|
|
// func (e *PermissionError) WithMissingScopes(scopes ...string) *PermissionError {
|
|
// e.MissingScopes = slices.Clone(scopes)
|
|
// return e
|
|
// }
|
|
//
|
|
// Violating shape — raw assignment:
|
|
//
|
|
// func (e *PermissionError) WithMissingScopes(scopes ...string) *PermissionError {
|
|
// e.MissingScopes = scopes
|
|
// return e
|
|
// }
|
|
//
|
|
// Detection strategy (AST-only, no type info):
|
|
// - Method name starts with "With" and takes at least one parameter
|
|
// - One parameter is a slice (`[]T`), variadic (`...T`), or map (`map[K]V`)
|
|
// - The method body contains `e.<Field> = <paramName>` where <paramName>
|
|
// is exactly the slice/map parameter, with no slices.Clone / maps.Clone
|
|
// wrapper.
|
|
//
|
|
// Scope: errs/ package files (typed builders live there).
|
|
//
|
|
// Returns REJECT violations.
|
|
func CheckBuilderImmutable(path, src string) []Violation {
|
|
if !isErrsPackagePath(path) {
|
|
return nil
|
|
}
|
|
fset := token.NewFileSet()
|
|
file, err := parser.ParseFile(fset, path, src, parser.ParseComments)
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
|
|
var out []Violation
|
|
for _, decl := range file.Decls {
|
|
fn, ok := decl.(*ast.FuncDecl)
|
|
if !ok || fn.Recv == nil || fn.Body == nil {
|
|
continue
|
|
}
|
|
if fn.Name == nil || !strings.HasPrefix(fn.Name.Name, "With") {
|
|
continue
|
|
}
|
|
// Only fire on methods whose receiver is a typed *Error from this package.
|
|
recvType := receiverTypeName(fn.Recv.List[0].Type)
|
|
if recvType == "" || !strings.HasSuffix(recvType, "Error") || recvType == "Error" {
|
|
continue
|
|
}
|
|
refParams := collectReferenceTypeParams(fn.Type)
|
|
if len(refParams) == 0 {
|
|
continue
|
|
}
|
|
out = append(out, scanBuilderBody(path, fset, fn, refParams)...)
|
|
}
|
|
return out
|
|
}
|
|
|
|
// collectReferenceTypeParams returns the names of parameters whose type
|
|
// is a slice, variadic, or map (the reference-mutable shapes the rule
|
|
// guards). Pointer-to-slice / pointer-to-map are also considered.
|
|
func collectReferenceTypeParams(ft *ast.FuncType) map[string]struct{} {
|
|
out := map[string]struct{}{}
|
|
if ft.Params == nil {
|
|
return out
|
|
}
|
|
for _, field := range ft.Params.List {
|
|
if !isReferenceType(field.Type) {
|
|
continue
|
|
}
|
|
for _, n := range field.Names {
|
|
if n.Name != "" && n.Name != "_" {
|
|
out[n.Name] = struct{}{}
|
|
}
|
|
}
|
|
}
|
|
return out
|
|
}
|
|
|
|
// isReferenceType reports whether expr names a slice, variadic, or map.
|
|
// Pointer-to-slice / map are also reference-typed for our purposes.
|
|
func isReferenceType(expr ast.Expr) bool {
|
|
switch t := expr.(type) {
|
|
case *ast.ArrayType:
|
|
// nil Len → slice (`[]T`). Fixed-length arrays are value types.
|
|
return t.Len == nil
|
|
case *ast.MapType:
|
|
return true
|
|
case *ast.Ellipsis:
|
|
return true
|
|
case *ast.StarExpr:
|
|
return isReferenceType(t.X)
|
|
}
|
|
return false
|
|
}
|
|
|
|
// scanBuilderBody walks fn.Body and emits a violation for each
|
|
// `recv.<Field> = <param>` assignment whose RHS is a bare reference-
|
|
// typed parameter (not wrapped in slices.Clone / maps.Clone).
|
|
func scanBuilderBody(path string, fset *token.FileSet, fn *ast.FuncDecl, refParams map[string]struct{}) []Violation {
|
|
var out []Violation
|
|
recvName := ""
|
|
if len(fn.Recv.List[0].Names) > 0 {
|
|
recvName = fn.Recv.List[0].Names[0].Name
|
|
}
|
|
ast.Inspect(fn.Body, func(n ast.Node) bool {
|
|
assign, ok := n.(*ast.AssignStmt)
|
|
if !ok || (assign.Tok != token.ASSIGN && assign.Tok != token.DEFINE) {
|
|
return true
|
|
}
|
|
if len(assign.Lhs) != 1 || len(assign.Rhs) != 1 {
|
|
return true
|
|
}
|
|
// LHS must be `recv.Field`.
|
|
sel, ok := assign.Lhs[0].(*ast.SelectorExpr)
|
|
if !ok {
|
|
return true
|
|
}
|
|
if recvName != "" && !isIdent(sel.X, recvName) {
|
|
return true
|
|
}
|
|
// RHS must be a bare reference-typed parameter ident with no
|
|
// defensive Clone wrapper.
|
|
paramID, ok := assign.Rhs[0].(*ast.Ident)
|
|
if !ok {
|
|
return true
|
|
}
|
|
if _, isRef := refParams[paramID.Name]; !isRef {
|
|
return true
|
|
}
|
|
fieldName := ""
|
|
if sel.Sel != nil {
|
|
fieldName = sel.Sel.Name
|
|
}
|
|
out = append(out, Violation{
|
|
Rule: "builder_immutable",
|
|
Action: ActionReject,
|
|
File: path,
|
|
Line: fset.Position(assign.Pos()).Line,
|
|
Message: fn.Name.Name + " stashes caller-owned " + paramID.Name + " into " + fieldName + " without defensive copy",
|
|
Suggestion: "wrap the assignment with slices.Clone / maps.Clone (e.g. `" +
|
|
sel.Sel.Name + " = slices.Clone(" + paramID.Name + ")`); raw assignment lets the caller mutate the already-emitted typed envelope",
|
|
})
|
|
return true
|
|
})
|
|
return out
|
|
}
|