Skip to content

feat(apps): add role management shortcuts#1881

Merged
liangshuo-1 merged 1 commit into
mainfrom
feat/apps-role-management-framework
Jul 16, 2026
Merged

feat(apps): add role management shortcuts#1881
liangshuo-1 merged 1 commit into
mainfrom
feat/apps-role-management-framework

Conversation

@linchao5102

@linchao5102 linchao5102 commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator

Summary

Add first-class app role management to the apps shortcut domain, including role CRUD, typed member operations, and user-role matching. The commands preserve structured error contracts, require explicit confirmation for destructive operations, and keep machine-readable output suitable for AI-agent consumers.

This revision also hardens role-member response semantics: filtered reads expose only the selected member field, omitted fields remain unknown instead of being reported as empty, and malformed member mutation responses fail closed.

Changes

  • Add nine role shortcuts: +role-list, +role-get, +role-create, +role-update, +role-delete, +role-member-list, +role-member-add, +role-member-remove, and +role-match-list.
  • Add strict app, role, member, pagination, and response validation, including exact-name role resolution, atomic member writes, safe delete acknowledgements, and a narrow chat-filter compatibility fallback.
  • Preserve backend truth in member output: --member-type returns only the selected field, pretty output omits unqueried groups, and malformed returned IDs or group shapes produce typed invalid_response errors.
  • Update the lark-apps Skill and role reference with focused role routing, high-impact confirmation, readback, and member-resolution guidance.
  • Add unit tests plus dry-run/local E2E coverage for role and member workflows. Live role workflows remain intentionally fixture-gated and skipped by default.
  • Correct the documented department ID prefix from od_ to od- and refresh Apps E2E coverage accounting to reflect 79 registered Apps shortcuts.

Test Plan

  • make build
  • make unit-test
  • go vet ./...
  • make fmt-check
  • go mod tidy -diff
  • go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.1.6 run --new-from-rev=origin/main
  • QUALITY_GATE_CHANGED_FROM=origin/main make quality-gate
  • LARK_CLI_BIN=./lark-cli go test ./tests/cli_e2e/apps -count=1 with live role fixtures and tokens intentionally unset
  • GitHub CI passes for commit 60519031, including unit, lint, deterministic-gate, dry-run E2E, live E2E job, coverage, security, and result aggregation

Live role E2E remains fixture-gated and skipped by default to avoid mutating tenant role state; this verification did not perform live tenant mutations.

Related Issues

  • None

Summary by CodeRabbit

  • New Features

    • Added CLI shortcuts for app role management (+role-list/get/create/update/delete), role member management (+role-member-list/add/remove), and role matching (+role-match-list), including output formatting and safer high-risk flows.
    • Improved exact-name scanning and pagination behavior; +role-member-list can warn and fall back when chat filtering isn’t supported.
  • Bug Fixes

    • Standardized department identifiers to the od- form (including simulated/dry-run placeholders).
  • Documentation

    • Expanded RBAC workflow guidance with a complete role-management SOP and updated routing/confirmation rules.
  • Tests

    • Added extensive unit, CLI E2E, and coverage updates for role and member commands.

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Adds nine Apps CLI shortcuts for role CRUD, role-member management, and role matching, with shared validation, pagination, response normalization, rendering, documentation, unit tests, registry tests, Spark error metadata, and fixture-gated E2E workflows. Department identifier fixtures now use dash syntax.

Changes

Apps role management

Layer / File(s) Summary
Role contracts and validation
shortcuts/apps/apps_role_common.go, shortcuts/apps/apps_role_common_test.go
Adds role, app, member, pagination, response, sanitization, and error-hint validation helpers with focused tests.
Role CRUD commands
shortcuts/apps/apps_role.go, shortcuts/apps/apps_role_test.go
Adds role list/get/create/update/delete commands, exact-name scanning, response normalization, rendering, and CRUD tests.
Role members and matching
shortcuts/apps/apps_role_member.go, shortcuts/apps/apps_role_member_test.go
Adds member list/add/remove and role-match commands with filtering, retry handling, normalization, formatting, and execution tests.
Shortcut registration and registry tests
shortcuts/apps/shortcuts.go, shortcuts/apps/shortcuts_test.go
Registers role commands and verifies the expanded visible shortcut set.
Role execution guidance
skills/lark-apps/SKILL.md, skills/lark-apps/references/lark-apps-role.md, skills/lark-apps/references/lark-apps-access-scope-set.md
Documents role identifiers, serialized execution, pagination, member operations, confirmation, readback, and department ID syntax.
End-to-end workflows and coverage
tests/cli_e2e/apps/apps_role_management_test.go, tests/cli_e2e/apps/coverage.md
Adds dry-run, validation, fixture-gated live workflows, and coverage records for role operations.
Spark error metadata
internal/errclass/codemeta_spark.go, internal/errclass/codemeta_spark_test.go
Registers and tests Spark role error-code classifications.
Department identifier consistency
shortcuts/apps/apps_access_scope_get_test.go, internal/qualitygate/rules/dryrun.go, internal/qualitygate/rules/dryrun_test.go
Updates department fixtures and placeholder values from od_ to od- syntax.

Estimated code review effort: 5 (Critical) | ~120 minutes

Sequence Diagram(s)

sequenceDiagram
  participant CLI
  participant AppsAPI
  participant RoleState
  CLI->>AppsAPI: List, create, update, delete, or match role request
  AppsAPI->>RoleState: Read or mutate role and member data
  RoleState-->>AppsAPI: Role or member response
  AppsAPI-->>CLI: Typed response or Spark error
  CLI->>AppsAPI: Independent readback for verification
Loading

Possibly related PRs

  • larksuite/cli#1002: Updates the related Apps access-scope department identifier handling.

Suggested labels: feature

Suggested reviewers: liangshuo-1

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 4.71% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly and concisely summarizes the main change: adding app role management shortcuts.
Description check ✅ Passed The description matches the required template with Summary, Changes, Test Plan, and Related Issues sections.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/apps-role-management-framework

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added the size/XL Architecture-level or global-impact change label Jul 14, 2026
@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@5cdb7ee7de4e46f19aff7ccfc750c8f4fd53dbd2

🧩 Skill update

npx skills add larksuite/cli#feat/apps-role-management-framework -y -g

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@shortcuts/apps/apps_role_common.go`:
- Around line 275-278: Remove the single-flag param metadata from the multi-flag
validation errors: in shortcuts/apps/apps_role_common.go lines 275-278, update
the validation error for the total users/departments/chats check; in
shortcuts/apps/apps_role.go lines 193-195, update the validation error for the
alternative update fields; and in shortcuts/apps/apps_role_member.go lines
370-372, update the validation error for member flags or --all. Each error
should omit param while preserving its message and hint.

In `@shortcuts/apps/apps_role_test.go`:
- Around line 898-907: Extend the error assertions after AppsRoleList.Execute in
shortcuts/apps/apps_role_test.go (898-907) to verify the typed problem’s
category and subtype in addition to roleAppHint. Apply the same category and
subtype assertions after role-match hint decoration in
shortcuts/apps/apps_role_member_test.go (700-709), preserving the existing hint
checks.

In `@shortcuts/apps/apps_role.go`:
- Around line 431-448: Make role-list parsing fail closed in parseRoleListPage
by validating every item and requiring a usable role_id or id when processing
the unfiltered path; return an invalid-response error for malformed entries
rather than accepting them. In shortcuts/apps/apps_role_member.go lines 432-443,
reject present non-array roles fields and malformed role entries instead of
treating them as no matches. Add regression tests covering each malformed
response shape in both affected files.

In `@tests/cli_e2e/apps/coverage.md`:
- Line 46: Update the role-member-list row in the coverage table so the
member_type alternatives use the existing slash-separated convention instead of
literal pipe characters, preserving the meaning while keeping the row at the
expected column count.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1cb84bc1-0ca8-461e-a529-4fbebb09e76d

📥 Commits

Reviewing files that changed from the base of the PR and between 37d490a and 09e87c8.

📒 Files selected for processing (14)
  • shortcuts/apps/apps_access_scope_get_test.go
  • shortcuts/apps/apps_role.go
  • shortcuts/apps/apps_role_common.go
  • shortcuts/apps/apps_role_common_test.go
  • shortcuts/apps/apps_role_member.go
  • shortcuts/apps/apps_role_member_test.go
  • shortcuts/apps/apps_role_test.go
  • shortcuts/apps/shortcuts.go
  • shortcuts/apps/shortcuts_test.go
  • skills/lark-apps/SKILL.md
  • skills/lark-apps/references/lark-apps-access-scope-set.md
  • skills/lark-apps/references/lark-apps-role.md
  • tests/cli_e2e/apps/apps_role_management_test.go
  • tests/cli_e2e/apps/coverage.md

Comment thread shortcuts/apps/apps_role_common.go
Comment thread shortcuts/apps/apps_role_test.go
Comment thread shortcuts/apps/apps_role.go Outdated
Comment thread tests/cli_e2e/apps/coverage.md Outdated
@codecov

codecov Bot commented Jul 14, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 87.48850% with 136 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.88%. Comparing base (80b3645) to head (5cdb7ee).

Files with missing lines Patch % Lines
shortcuts/apps/apps_role.go 84.68% 48 Missing and 20 partials ⚠️
shortcuts/apps/apps_role_member.go 89.34% 22 Missing and 17 partials ⚠️
shortcuts/apps/apps_role_common.go 89.09% 20 Missing and 9 partials ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1881      +/-   ##
==========================================
+ Coverage   74.73%   74.88%   +0.14%     
==========================================
  Files         887      891       +4     
  Lines       92644    93730    +1086     
==========================================
+ Hits        69235    70187     +952     
- Misses      18050    18138      +88     
- Partials     5359     5405      +46     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@linchao5102 linchao5102 requested a review from liangshuo-1 as a code owner July 14, 2026 09:48

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
shortcuts/apps/apps_role_common.go (1)

452-456: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Magic number "100" duplicated instead of referencing maxRoleMembers.

roleMemberLimitParams's reason string (L475) hardcodes "...exceeds 100", and the adjacent .WithHint(...) text (L455) hardcodes "at most 100 members". If maxRoleMembers ever changes, both strings silently go stale while the primary error message (which correctly uses %d, maxRoleMembers) stays accurate.

♻️ Proposed fix
-			WithHint("reduce the atomic request to at most 100 members; the CLI does not split member writes automatically")
+			WithHint(fmt.Sprintf("reduce the atomic request to at most %d members; the CLI does not split member writes automatically", maxRoleMembers))
 func roleMemberLimitParams(groups roleMemberGroups) []errs.InvalidParam {
-	reason := "combined role member count exceeds 100"
+	reason := fmt.Sprintf("combined role member count exceeds %d", maxRoleMembers)

Also applies to: 474-487

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@shortcuts/apps/apps_role_common.go` around lines 452 - 456, Replace the
hardcoded “100” values in the WithHint text near the maxRoleMembers check and
the reason string returned by roleMemberLimitParams with formatting that uses
maxRoleMembers, so all member-limit messages remain consistent when the constant
changes.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@shortcuts/apps/apps_role_common.go`:
- Around line 288-313: The authorization branch in withRoleErrorHint currently
overwrites server-provided Problem.Hint details; preserve existing lifted detail
by appending the role-specific hint instead. Update the hint-selection logic so
CategoryAuthorization follows the same append behavior as other noncanonical
existing hints, while retaining the current handling for empty or canonical API
hints.

---

Nitpick comments:
In `@shortcuts/apps/apps_role_common.go`:
- Around line 452-456: Replace the hardcoded “100” values in the WithHint text
near the maxRoleMembers check and the reason string returned by
roleMemberLimitParams with formatting that uses maxRoleMembers, so all
member-limit messages remain consistent when the constant changes.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 93faca35-fe72-42ce-84cb-7ecac62e1859

📥 Commits

Reviewing files that changed from the base of the PR and between 09e87c8 and 7ec7b2f.

📒 Files selected for processing (13)
  • internal/errclass/codemeta_spark.go
  • internal/errclass/codemeta_spark_test.go
  • internal/qualitygate/rules/dryrun.go
  • internal/qualitygate/rules/dryrun_test.go
  • shortcuts/apps/apps_role.go
  • shortcuts/apps/apps_role_common.go
  • shortcuts/apps/apps_role_common_test.go
  • shortcuts/apps/apps_role_member.go
  • shortcuts/apps/apps_role_member_test.go
  • shortcuts/apps/apps_role_test.go
  • skills/lark-apps/references/lark-apps-role.md
  • tests/cli_e2e/apps/apps_role_management_test.go
  • tests/cli_e2e/apps/coverage.md
🚧 Files skipped from review as they are similar to previous changes (6)
  • tests/cli_e2e/apps/coverage.md
  • shortcuts/apps/apps_role_test.go
  • shortcuts/apps/apps_role_member.go
  • skills/lark-apps/references/lark-apps-role.md
  • tests/cli_e2e/apps/apps_role_management_test.go
  • shortcuts/apps/apps_role_member_test.go

Comment thread shortcuts/apps/apps_role_common.go

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@skills/lark-apps/references/lark-apps-role.md`:
- Around line 7-15: Remove the blank lines between the consecutive [!CAUTION]
blockquote paragraphs in the role documentation. Keep all caution text within
one contiguous blockquote so markdownlint MD028 passes.
- Around line 409-413: Update the destructive role-member removal procedure to
require confirmation before any write, following the batch-removal rule near
line 381. After identifying the affected app, roles, and target group, present
them and obtain confirmation, then execute the full command with --app-id,
--role-id, --as user, --chats, --yes, and --format json while preserving serial
writes and post-removal rereads.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 782e6372-29d6-442e-bd83-58aba6ffc618

📥 Commits

Reviewing files that changed from the base of the PR and between 7ec7b2f and 29315f4.

📒 Files selected for processing (8)
  • shortcuts/apps/apps_role.go
  • shortcuts/apps/apps_role_member.go
  • shortcuts/apps/apps_role_member_test.go
  • shortcuts/apps/apps_role_test.go
  • skills/lark-apps/SKILL.md
  • skills/lark-apps/references/lark-apps-access-scope-set.md
  • skills/lark-apps/references/lark-apps-role.md
  • tests/cli_e2e/apps/apps_role_management_test.go
🚧 Files skipped from review as they are similar to previous changes (3)
  • shortcuts/apps/apps_role_member.go
  • shortcuts/apps/apps_role.go
  • tests/cli_e2e/apps/apps_role_management_test.go

Comment thread skills/lark-apps/references/lark-apps-role.md Outdated
Comment thread skills/lark-apps/references/lark-apps-role.md Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@shortcuts/apps/apps_role.go`:
- Around line 624-658: Update roleResponseData and parseRoleResponseData to
project description into a typed Description field, validating any present value
as a supported string and rejecting unsupported non-string values instead of
retaining it in Fields; update shortcuts/apps/apps_role.go:709-712 to render the
projected Description, and add the non-string-description invalid-response case
in shortcuts/apps/apps_role_test.go:385-412.

In `@skills/lark-apps/references/lark-apps-role.md`:
- Line 286: Update the contact +search-user recipe and its duplicate rule to
match email inputs against the user email field rather than localized_name,
while continuing to match name inputs against localized_name. Preserve the
requirement that exactly one user matches and use that matched user’s open_id,
with has_more=false.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 66d3ea71-4715-4a03-a4ed-402ad50570c1

📥 Commits

Reviewing files that changed from the base of the PR and between 29315f4 and 3524ea6.

📒 Files selected for processing (8)
  • shortcuts/apps/apps_role.go
  • shortcuts/apps/apps_role_common.go
  • shortcuts/apps/apps_role_common_test.go
  • shortcuts/apps/apps_role_member.go
  • shortcuts/apps/apps_role_member_test.go
  • shortcuts/apps/apps_role_test.go
  • skills/lark-apps/references/lark-apps-role.md
  • tests/cli_e2e/apps/apps_role_management_test.go
🚧 Files skipped from review as they are similar to previous changes (5)
  • shortcuts/apps/apps_role_common_test.go
  • shortcuts/apps/apps_role_common.go
  • tests/cli_e2e/apps/apps_role_management_test.go
  • shortcuts/apps/apps_role_member.go
  • shortcuts/apps/apps_role_member_test.go

Comment thread shortcuts/apps/apps_role.go Outdated
Comment thread skills/lark-apps/references/lark-apps-role.md Outdated
@linchao5102 linchao5102 force-pushed the feat/apps-role-management-framework branch 3 times, most recently from 9a6801b to 6051903 Compare July 15, 2026 14:19
@linchao5102 linchao5102 force-pushed the feat/apps-role-management-framework branch from 6051903 to 5cdb7ee Compare July 15, 2026 18:27
@liangshuo-1 liangshuo-1 merged commit baf6050 into main Jul 16, 2026
24 checks passed
@liangshuo-1 liangshuo-1 deleted the feat/apps-role-management-framework branch July 16, 2026 06:09
@liangshuo-1 liangshuo-1 mentioned this pull request Jul 16, 2026
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/XL Architecture-level or global-impact change

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants