docs(lark-shared): split into references and fix exit-10/auth drift

[sang-neo03]

Summary

lark-shared is force-read by nearly every lark-* skill, so its token cost is paid on almost every Feishu task. This restructures it into a slim always-loaded core (169 → 89 lines) plus on-demand references/, and fixes several doc-vs-implementation drifts surfaced during code review.

Changes

• Progressive disclosure: move split-flow auth steps, exit-10 mechanics, and config-init / QR-code detail into references/{auth-split-flow,high-risk-approval,config-init}.md, loaded on demand via lark-cli skills read. Add a reference index to the entry.
• Safety stays in the entry: exit-10 gate + safe default (never silently add --yes), QR-code on any auth/config URL, split-flow rules, argv-only retry (no sh -c).
• exit-10 detection fix: key on exit code 10; accept both the flat (type=confirmation_required) and typed (type=confirmation + subtype=confirmation_required) envelopes; read the confirm flag from hint and append it to the original argv instead of hardcoding --yes (config bind uses --force). Operation name is error.action (typed) or error.risk.action (flat).
• Permission fields: distinguish permission_violations (raw API block) vs missing_scopes (CLI structured error).
• Misc: complete _notice fields (current / latest / message / command); switch description to Chinese; bump version to 1.1.0.

Test Plan

• Cross-compiled a binary with these changes and verified the embedded skills read lark-shared / skills list lark-shared resolve the slim entry plus all references on a clean host.
• Ran the local skillave read-only subset (18 cases): no skill-loading errors introduced (not found in skill = 0); the failures observed were pre-existing environment / stale-gold cases, not regressions.
• Code-grounded review over 3 rounds confirmed all field paths, the QR-code / opaque-URL rule, and the retry/argv rules match the implementation (internal/cmdutil/confirm.go, errs/types.go, cmd/auth/login.go, cmd/config/bind.go).

Related Issues

None.

Summary by CodeRabbit

• Documentation
  • Restructured authentication guidance with clearer identity semantics (--as user vs --as bot) and explicit split-flow workflow for agent-mediated authentication.
  • Enhanced security requirements for authorization URLs, requiring QR display and treating URLs as opaque strings.
  • Reorganized high-risk operation confirmation process with explicit user consent requirements.
  • Improved update check instructions for better user experience.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 77b8f0c8-0919-4cab-a7d6-1a1c6fd79edb

📥 Commits

Reviewing files that changed from the base of the PR and between f4e7abc and 6568abc.

📒 Files selected for processing (3)

• skills/lark-shared/SKILL.md
• skills/lark-shared/references/lark-shared-auth-split-flow.md
• skills/lark-shared/references/lark-shared-high-risk-approval.md

💤 Files with no reviewable changes (2)

• skills/lark-shared/references/lark-shared-auth-split-flow.md
• skills/lark-shared/references/lark-shared-high-risk-approval.md

🚧 Files skipped from review as they are similar to previous changes (1)

• skills/lark-shared/SKILL.md

---

📝 Walkthrough

Walkthrough

Three markdown files in skills/lark-shared/ restructure shared skill guidance: SKILL.md is converted into a reference-driven index, and two new reference documents lark-shared-auth-split-flow.md and lark-shared-high-risk-approval.md codify agent authentication split-flow and high-risk operation confirmation workflows with explicit security and error-handling rules.

Changes

Lark shared skill workflow documentation refactoring

Layer / File(s)	Summary
SKILL.md index structure and updated guidance skills/lark-shared/SKILL.md	SKILL.md is rewritten as a reference index routing readers to external docs for high-risk approval, auth split-flow, and token routing. Auth guidance clarifies --as user vs --as bot behavior and structured error handling using permission_violations/missing_scopes/console_url/hint. Update-check lifecycle forbids silent notice ignoring. URL/QR security rules mandate lark-cli auth qrcode for authorization and config URLs treated as opaque strings. High-risk confirmation (exit 10) now references the approval document requiring explicit user consent before retrying with appended confirmation flags.
Authentication split-flow reference document skills/lark-shared/references/lark-shared-auth-split-flow.md	New guide defines the two-stage agent authentication workflow: non-blocking initiation with --no-wait --json to extract verification_url and device_code, user presentation of URL and QR, explicit turn termination, and later agent-executed completion via --device-code. Enforces rules against same-turn polling after URL display and caching authorization links or device codes across turns. Documents auth scope/domain specification and incremental scope accumulation.
High-risk operation confirmation gate reference document skills/lark-shared/references/lark-shared-high-risk-approval.md	New guide documents the exit-10 confirmation gate for high-risk operations. Specifies subprocess exit code 10 as the authoritative signal and documents both flat and typed error envelope matching. Defines the handling workflow: detect exit 10, show user operation details and risk, extract confirmation flag from hint, append to original argv, and retry only after explicit consent. Lists disallowed behaviors including silent retries, incorrect error categorization, and shell-based command reconstruction. Provides --dry-run preview guidance and heuristics for identifying high-risk commands.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• larksuite/cli#1201: New auth split-flow documentation and device_code handling align directly with changes to auth login --no-wait --json output and split-flow enforcement.
• larksuite/cli#933: Split-flow authentication workflow using auth login --no-wait --json and --device-code completion overlaps with code changes for non-blocking device-flow enforcement.
• larksuite/cli#1283: Shared skills guidance refactoring with /wiki/ token-routing and auth identity rules overlaps with lark-doc/SKILL.md updates for the same patterns.

Suggested labels

domain/base

Suggested reviewers

• JackZhao10086
• liangshuo-1

Poem

🐰 In references we now confide,
Split flows and exit codes aligned,
No silent retries, no sh -c,
Just QR codes and clarity!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main changes: restructuring lark-shared into references and fixing exit-10/auth documentation drift.
Description check	✅ Passed	The description covers all required template sections: Summary, Changes, Test Plan, and Related Issues are all present and substantively filled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/lark-shared-progressive-disclosure

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.87%. Comparing base (76ba6fa) to head (6568abc).
⚠️ Report is 9 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1433      +/-   ##
==========================================
+ Coverage   72.83%   72.87%   +0.04%     
==========================================
  Files         732      737       +5     
  Lines       69140    69465     +325     
==========================================
+ Hits        50356    50624     +268     
- Misses      15003    15039      +36     
- Partials     3781     3802      +21     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@6568abcff4716d5ae8645cffaa28df3f70ce2819

🧩 Skill update

npx skills add larksuite/cli#docs/lark-shared-progressive-disclosure -y -g