Skip to content

feat: add scope catalog and batch-import JSON generator#27

Open
zjsng wants to merge 2 commits into
yjwong:mainfrom
zjsng:feat/scope-catalog-and-batch-import
Open

feat: add scope catalog and batch-import JSON generator#27
zjsng wants to merge 2 commits into
yjwong:mainfrom
zjsng:feat/scope-catalog-and-batch-import

Conversation

@zjsng

@zjsng zjsng commented Mar 22, 2026

Copy link
Copy Markdown

Problem

Setting up a Lark app requires manually toggling dozens of API scopes in the admin console — separately for tenant and user access tokens. Contributors don't know which scopes each CLI command needs, and getting it wrong means cryptic API errors at runtime.

Additionally, commands using tenant_access_token (msg send, chat search, contact get) were incorrectly pre-validated against the user token's scope string, which never contains tenant-granted scopes. This caused false "missing permissions" errors even when the app was correctly configured.

Solution

Add lark auth scopes --json-import to generate the batch-import JSON for Lark's app scope configuration page, and fix scope validation to only check what it can actually verify.

For users setting up a Lark app: Generate the exact scopes your app needs and paste them into the admin console:

# All CLI features
lark auth scopes --json-import

# Only specific groups
lark auth scopes --json-import --groups calendar,documents

For contributors adding new commands: Scope data lives in two files by design:

File What to edit When
scopes.go OAuth scopes (minimal, ~27 total) Adding a command that needs user-token API access
catalog.go App config scopes (comprehensive) Adding scopes to the batch-import JSON output

Commands using user tokens (cal, doc, sheet, bitable, minutes) keep PersistentPreRun scope validation. Commands using tenant tokens (msg, chat, contact get/list-dept) skip it — the API surfaces permission errors directly.

What's included

Batch-import JSON generator (internal/scopes/catalog.go)

{
  "scopes": {
    "tenant": ["calendar:calendar", "calendar:calendar:readonly", "..."],
    "user": ["calendar:calendar.event:read", "offline_access", "..."]
  }
}

Scope validation fixes (internal/cmd/{msg,chat,contact,mail}.go)

  • Removed PersistentPreRun scope checks from tenant-token commands — these checked user token scopes for commands that use tenant tokens
  • Added per-subcommand PreRun on contact search and contact search-dept (the two contact subcommands that actually use user tokens)

Cleanup

  • Removed unused --add flag from auth login (was defined but never wired up)
  • Fixed stale --add --scopes references across USAGE.md, CLAUDE.md, and all 8 skill files
  • Added bitable to scope groups table in USAGE.md
  • Updated mail group description to clarify IMAP app password relationship

Test plan

  • lark auth scopes --json-import generates valid JSON with tenant/user split
  • lark auth scopes --json-import --groups calendar filters to specific group
  • lark auth scopes --json-import --groups invalid errors with guidance
  • lark auth login --help no longer shows --add flag
  • Tenant-token commands (msg send, contact get) no longer show false scope errors
  • User-token commands (cal list, doc get) still validate scopes correctly
  • grep -r "\-\-add" USAGE.md CLAUDE.md skills/ returns nothing

🤖 Generated with Claude Code

zjsng added 2 commits March 22, 2026 22:27
Add `lark auth scopes --json-import` to generate Lark's batch-import
JSON for app scope configuration. This separates three concerns:

- OAuth scopes (minimal, for `auth login`) stay in scopes.go
- App catalog (comprehensive tenant/user split) lives in catalog.go
- Runtime validation only checks user-token scopes

Also fixes scope validation for commands that use tenant tokens
(msg, chat, contact get/list-dept, mail) by removing preflight
checks that validated against the wrong token type. Tenant-token
API errors are now surfaced directly instead.

Other changes:
- Remove unused `--add` flag from `auth login`
- Fix stale `--add --scopes` in error messages
- Update mail description to clarify IMAP relationship
- Add per-subcommand validation for contact search commands
- Remove references to unused `--add` flag across all skill files,
  USAGE.md, and CLAUDE.md
- Document `auth scopes --json-import` command in USAGE.md and CLAUDE.md
- Add `bitable` to scope groups table in USAGE.md
- Update mail description and documents description in scope groups table
- Note that Lark accumulates grants across logins
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant