feat: add scope catalog and batch-import JSON generator#27
Open
zjsng wants to merge 2 commits into
Open
Conversation
Add `lark auth scopes --json-import` to generate Lark's batch-import JSON for app scope configuration. This separates three concerns: - OAuth scopes (minimal, for `auth login`) stay in scopes.go - App catalog (comprehensive tenant/user split) lives in catalog.go - Runtime validation only checks user-token scopes Also fixes scope validation for commands that use tenant tokens (msg, chat, contact get/list-dept, mail) by removing preflight checks that validated against the wrong token type. Tenant-token API errors are now surfaced directly instead. Other changes: - Remove unused `--add` flag from `auth login` - Fix stale `--add --scopes` in error messages - Update mail description to clarify IMAP relationship - Add per-subcommand validation for contact search commands
- Remove references to unused `--add` flag across all skill files, USAGE.md, and CLAUDE.md - Document `auth scopes --json-import` command in USAGE.md and CLAUDE.md - Add `bitable` to scope groups table in USAGE.md - Update mail description and documents description in scope groups table - Note that Lark accumulates grants across logins
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Setting up a Lark app requires manually toggling dozens of API scopes in the admin console — separately for tenant and user access tokens. Contributors don't know which scopes each CLI command needs, and getting it wrong means cryptic API errors at runtime.
Additionally, commands using
tenant_access_token(msg send,chat search,contact get) were incorrectly pre-validated against the user token's scope string, which never contains tenant-granted scopes. This caused false "missing permissions" errors even when the app was correctly configured.Solution
Add
lark auth scopes --json-importto generate the batch-import JSON for Lark's app scope configuration page, and fix scope validation to only check what it can actually verify.For users setting up a Lark app: Generate the exact scopes your app needs and paste them into the admin console:
For contributors adding new commands: Scope data lives in two files by design:
scopes.gocatalog.goCommands using user tokens (cal, doc, sheet, bitable, minutes) keep
PersistentPreRunscope validation. Commands using tenant tokens (msg, chat, contact get/list-dept) skip it — the API surfaces permission errors directly.What's included
Batch-import JSON generator (
internal/scopes/catalog.go)lark auth scopes --json-import [--groups ...]outputs Lark's expected format:{ "scopes": { "tenant": ["calendar:calendar", "calendar:calendar:readonly", "..."], "user": ["calendar:calendar.event:read", "offline_access", "..."] } }Scope validation fixes (
internal/cmd/{msg,chat,contact,mail}.go)PersistentPreRunscope checks from tenant-token commands — these checked user token scopes for commands that use tenant tokensPreRunoncontact searchandcontact search-dept(the two contact subcommands that actually use user tokens)Cleanup
--addflag fromauth login(was defined but never wired up)--add --scopesreferences across USAGE.md, CLAUDE.md, and all 8 skill filesbitableto scope groups table in USAGE.mdTest plan
lark auth scopes --json-importgenerates valid JSON with tenant/user splitlark auth scopes --json-import --groups calendarfilters to specific grouplark auth scopes --json-import --groups invaliderrors with guidancelark auth login --helpno longer shows--addflagmsg send,contact get) no longer show false scope errorscal list,doc get) still validate scopes correctlygrep -r "\-\-add" USAGE.md CLAUDE.md skills/returns nothing🤖 Generated with Claude Code