mirror of
https://github.com/larksuite/cli.git
synced 2026-07-07 00:55:53 +08:00
AI agents running inside OpenClaw / Hermes were routinely creating a parallel
app via `config init --new` instead of binding to the agent's existing app,
because every "not configured" hint and several deny errors hard-coded
`config init` regardless of workspace. Once bound, the same agents could
silently grant themselves user identity (impersonation) without the user
ever seeing a risk message in chat.
Changes:
- Introduce `core.NotConfiguredError` / `NoActiveProfileError` /
`reconfigureHint` helpers that branch on `CurrentWorkspace()`. In agent
workspaces they point at `lark-cli config bind --help` (a help page, not
a ready-to-run command) so AI must read the binding workflow and confirm
identity preset with the user before acting. In local terminals they
preserve the previous `config init --new` guidance.
- Migrate every `config init` hint that should be workspace-aware:
RequireConfigForProfile, default credential provider, credential provider
fallback, secret-resolve mismatch, config show, strict-mode entry-point
errors, default-as, profile use/rename/remove, auth list, doctor's
config_file check (which now also wraps the OS-level "no such file"
noise into the user-shaped "not configured" message).
- Refuse `config init` when run inside an OpenClaw / Hermes workspace by
default; add `--force-init` for the rare case the user genuinely wants
a parallel app. Without this guard, hint fixes were undone the moment
AI ignored them.
- Rewrite the strict-mode deny errors in cmd/auth/login.go, cmd/prune.go,
and internal/cmdutil/factory.go. The previous "AI agents are strictly
prohibited from modifying this setting" terminated AI reasoning while
providing no real gate. New errors point at `config strict-mode --help`
with the legitimate confirmation flow and explicitly note that switching
does NOT require re-bind. Integration test envelopes updated.
- Tighten `config bind --help` and `config strict-mode --help` to encode
the user-confirmation discipline directly: identity preset semantics
(bot-only vs user-default), "DO NOT switch without explicit user
confirmation", and a cross-reference clarifying that `config bind` is
for changing the underlying app while `config strict-mode` is the
policy-only switch (resolves an ambiguity an audit run found).
- Surface user-identity (impersonation) risk at every config write that
newly grants it, by reusing the canonical IdentityEscalationMessage
string from bind_messages.go:
- `noticeUserDefaultRisk` fires on flag-mode bind landing on
user-default, including the first-time case `warnIdentityEscalation`
misses (it requires a previous bot lock).
- `setStrictMode` warns when transitioning bot → user or bot → off
(newly permits user identity); stays quiet on narrowing changes
and on off → user (off already permitted user).
- Add tests: notconfigured_test.go (workspace branches),
init_guard_test.go (refuse + --force-init bypass), bind_warning_test.go
(user-default warning fires; bot-only does not), strict_mode_warning_test.go
(5 transitions covering both warn and no-warn paths).
Two follow-ups intentionally deferred: the keychain master-key hint at
internal/keychain/keychain.go:42 still suggests `config init` because the
keychain package can't import core (would be circular); fixing requires
either parameterizing the hint via callback or extracting workspace into
its own package. The lark-shared skill doc still tells AI to run
`config init` for first-time setup; updating the skill is in scope for
a follow-up PR.
Change-Id: I02273e044d9e061d211ceaa4f3ed5a3fb28325b3
81 lines
2.6 KiB
Go
81 lines
2.6 KiB
Go
// Copyright (c) 2026 Lark Technologies Pte. Ltd.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"fmt"
|
|
"slices"
|
|
|
|
"github.com/larksuite/cli/internal/cmdutil"
|
|
"github.com/larksuite/cli/internal/core"
|
|
"github.com/larksuite/cli/internal/output"
|
|
"github.com/spf13/cobra"
|
|
)
|
|
|
|
// pruneForStrictMode removes commands incompatible with the active strict mode.
|
|
func pruneForStrictMode(root *cobra.Command, mode core.StrictMode) {
|
|
pruneIncompatible(root, mode)
|
|
pruneEmpty(root)
|
|
}
|
|
|
|
// pruneIncompatible recursively replaces commands whose annotation declares
|
|
// identities incompatible with the forced identity. Commands without annotation are kept.
|
|
// Hidden stubs preserve direct execution so users get a strict-mode error instead
|
|
// of Cobra's generic "unknown flag" fallback from the parent command.
|
|
func pruneIncompatible(parent *cobra.Command, mode core.StrictMode) {
|
|
forced := string(mode.ForcedIdentity())
|
|
var toRemove []*cobra.Command
|
|
var toAdd []*cobra.Command
|
|
for _, child := range parent.Commands() {
|
|
ids := cmdutil.GetSupportedIdentities(child)
|
|
if ids != nil && !slices.Contains(ids, forced) {
|
|
toRemove = append(toRemove, child)
|
|
toAdd = append(toAdd, strictModeStubFrom(child, mode))
|
|
continue
|
|
}
|
|
pruneIncompatible(child, mode)
|
|
}
|
|
if len(toRemove) > 0 {
|
|
parent.RemoveCommand(toRemove...)
|
|
parent.AddCommand(toAdd...)
|
|
}
|
|
}
|
|
|
|
func strictModeStubFrom(child *cobra.Command, mode core.StrictMode) *cobra.Command {
|
|
return &cobra.Command{
|
|
Use: child.Use,
|
|
Aliases: append([]string(nil), child.Aliases...),
|
|
Hidden: true,
|
|
DisableFlagParsing: true,
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
return output.ErrWithHint(output.ExitValidation, "strict_mode",
|
|
fmt.Sprintf("strict mode is %q, only %s-identity commands are available", mode, mode.ForcedIdentity()),
|
|
"if the user explicitly wants to switch policy, see `lark-cli config strict-mode --help` (confirm with the user before switching; switching does NOT require re-bind)")
|
|
},
|
|
}
|
|
}
|
|
|
|
// pruneEmpty recursively removes group commands (no Run/RunE) that have
|
|
// no remaining subcommands after pruning. If only hidden stubs remain, keep
|
|
// the group hidden so direct execution still resolves to the stub path.
|
|
func pruneEmpty(parent *cobra.Command) {
|
|
var toRemove []*cobra.Command
|
|
for _, child := range parent.Commands() {
|
|
pruneEmpty(child)
|
|
if child.Run != nil || child.RunE != nil {
|
|
continue
|
|
}
|
|
switch {
|
|
case child.HasAvailableSubCommands():
|
|
case len(child.Commands()) > 0:
|
|
child.Hidden = true
|
|
default:
|
|
toRemove = append(toRemove, child)
|
|
}
|
|
}
|
|
if len(toRemove) > 0 {
|
|
parent.RemoveCommand(toRemove...)
|
|
}
|
|
}
|