fix(calendar): block auto bot fallback without user login

[calendar-assistant]

Summary

Prevent calendar shortcuts from silently operating on the bot calendar when user login is missing and identity auto-detection falls back to bot.

Changes

• add a shared calendar auth guard that rejects auto-detected bot fallback unless bot usage is explicit
• apply the guard to +agenda, +create, +freebusy, +rsvp, and +suggestion
• add regression tests covering the blocked auto-fallback path and the allowed explicit/default bot paths
• update calendar skill docs to reflect the expected explicit bot behavior

Test Plan

• make unit-test
• go mod tidy (no changes to go.mod or go.sum)
• go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.1.6 run --new-from-rev=origin/main
• Manual local verification confirms the lark-cli calendar ... command works as expected

Related Issues

• None

Summary by CodeRabbit

• Bug Fixes

  • Calendar shortcuts (agenda, create, freebusy, RSVP, suggestion) now require explicit user login or --as bot; automatic bot fallback is blocked.

• Tests

  • Added tests covering login requirements and explicit/default-bot behavior for calendar shortcuts.

• Documentation

  • Clarified calendar event wording and updated agenda output requirements and minor formatting fixes.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a pre-validation guard that rejects automatic bot fallback for calendar shortcuts by calling rejectCalendarAutoBotFallback(runtime) at the start of several Validate handlers; accompanying helpers and tests enforce and verify the new login/bot behavior.

Changes

Cohort / File(s)	Summary
Calendar Shortcuts Validation shortcuts/calendar/calendar_agenda.go, shortcuts/calendar/calendar_create.go, shortcuts/calendar/calendar_freebusy.go, shortcuts/calendar/calendar_rsvp.go, shortcuts/calendar/calendar_suggestion.go	Each shortcut's Validate now calls rejectCalendarAutoBotFallback(runtime) first, returning its error immediately to prevent auto-bot fallback before existing validation runs.
Helpers & Tests shortcuts/calendar/helpers.go, shortcuts/calendar/calendar_test.go	Added hasExplicitBotFlag and rejectCalendarAutoBotFallback helper logic; added test helpers and three tests verifying login requirement and explicit/default-bot bypass behavior.
Documentation skills/lark-calendar/SKILL.md, skills/lark-calendar/references/lark-calendar-agenda.md, skills/lark-calendar/references/lark-calendar-suggestion.md	Minor text/whitespace edits and clarified agenda output to remove busy/RSVP fields requirement; fixed trailing newline/blank-line issues.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat(calendar): implement rsvp shortcut #151: Modifies CalendarRsvp.Validate to add a rejectCalendarAutoBotFallback pre-validation call—strongly related code-level change.

Suggested reviewers

• hugang-lark
• liangshuo-1

Poem

🐰 I hopped into calendar code tonight,

guarding logins with a gentle bite.
Bots still can help if you clearly say so,
otherwise user-login is how we go.
Hooray for tests—now onward we hop! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: blocking automatic bot fallback in calendar commands when user login is missing.
Description check	✅ Passed	The description includes all required sections with sufficient detail: summary explains the motivation, changes list the concrete modifications, test plan documents verification steps, and related issues are noted.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/calendar-auto-bot-fallback

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR adds rejectCalendarAutoBotFallback, a shared auth guard that blocks calendar shortcuts (+agenda, +create, +freebusy, +rsvp, +suggestion) when the bot identity was silently auto-detected due to missing user login, while still permitting explicit --as bot and DefaultAs: \"bot\" config. Regression tests cover the blocked auto-fallback path, explicit-bot bypass, and default-as-bot bypass.

Confidence Score: 5/5

Safe to merge — the guard logic is correct for all identity resolution paths and all five shortcuts are covered with regression tests.

No new P0 or P1 findings. The only open concerns are from prior threads (redundant hasExplicitBotFlag check and the truncated agenda doc sentence). All remaining observations are P2 style-level. The core guard correctly distinguishes auto-detected bot fallback from explicit and config-driven bot usage across every resolution path.

No files require special attention beyond the previously flagged items in helpers.go and lark-calendar-agenda.md.

Important Files Changed

Filename	Overview
shortcuts/calendar/helpers.go	Adds hasExplicitBotFlag and rejectCalendarAutoBotFallback; guard logic is correct but hasExplicitBotFlag is redundant (noted in prior thread) since IdentityAutoDetected=false already covers the explicit-bot path
shortcuts/calendar/calendar_test.go	Adds well-structured regression tests for all five shortcuts (blocked auto-fallback), explicit --as bot bypass, and DefaultAs: "bot" bypass; test helpers noLoginConfig and noLoginBotDefaultConfig are appropriate
shortcuts/calendar/calendar_agenda.go	Adds new Validate hook calling rejectCalendarAutoBotFallback; straightforward and correct
shortcuts/calendar/calendar_freebusy.go	Guard prepended correctly; existing --user-id required-for-bot check is still reachable when bot is intentional
skills/lark-calendar/references/lark-calendar-suggestion.md	Trailing blank line removed, leaving file without a terminal newline; no functional impact
skills/lark-calendar/references/lark-calendar-agenda.md	Output requirements sentence truncated (free/busy and RSVP status dropped); noted in prior review thread

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Calendar shortcut invoked] --> B{runtime.IsBot?}
    B -- No --> Z[✅ Allow — user identity]
    B -- Yes --> C{hasExplicitBotFlag\n--as bot on CLI?}
    C -- Yes --> Z2[✅ Allow — intentional bot]
    C -- No --> D{Factory.\nIdentityAutoDetected?}
    D -- No --> Z3[✅ Allow — DefaultAs: bot\nor config-driven]
    D -- Yes --> E[❌ Block — auto-fallback\nfrom missing user login]
    E --> F[Return ErrWithHint:\nlark-cli auth login --domain calendar\nor rerun with --as bot]

Loading

_{Reviews (2): Last reviewed commit: "fix(calendar): block auto bot fallback w..." | Re-trigger Greptile}

[github-actions]

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@3f848df12dd54e79de0bccde3384416e8c5276c0

🧩 Skill update

npx skills add larksuite/cli#fix/calendar-auto-bot-fallback -y -g

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

skills/lark-calendar/SKILL.md (1)

153-153: 建议优化语句以避免“的/得”歧义。

当前“确保转换的绝对准确”表达略拗口，建议改为“确保转换结果绝对准确”或“确保转换得绝对准确”，可读性更高。

✍️ 建议文案修改

-- 涉及日期（时间）字符串与时间戳的相互转换时，务必调用系统命令或脚本代码等外部工具进行处理，以确保转换的绝对准确。违者将导致严重的逻辑错误！
+- 涉及日期（时间）字符串与时间戳的相互转换时，务必调用系统命令或脚本代码等外部工具进行处理，以确保转换结果绝对准确。违者将导致严重的逻辑错误！

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@skills/lark-calendar/SKILL.md` at line 153, The sentence
"涉及日期（时间）字符串与时间戳的相互转换时，务必调用系统命令或脚本代码等外部工具进行处理，以确保转换的绝对准确。违者将导致严重的逻辑错误！" is
awkward; replace the phrase "确保转换的绝对准确" with a clearer form such as "确保转换结果绝对准确"
(preferred) or "确保转换得绝对准确" to remove the 的/得 ambiguity and improve readability
while keeping the rest of the warning intact.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@skills/lark-calendar/references/lark-calendar-agenda.md`:
- Line 66: The implementation for the +agenda shortcut is emitting extra fields
(event_id, start, end, free_busy_status, self_rsvp_status) in
shortcuts/calendar/calendar_agenda.go (around the agenda formatting logic) while
the docs require output grouped by date and strictly sorted by start time,
showing only title and duration; fix by changing the agenda formatter to remove
those extra fields and only output title and duration per event, keep the
existing date-grouping and start-time ascending sort, and update any unit/test
expectations and the documentation string to reflect the chosen contract if you
instead decide to keep the extra fields.

---

Nitpick comments:
In `@skills/lark-calendar/SKILL.md`:
- Line 153: The sentence
"涉及日期（时间）字符串与时间戳的相互转换时，务必调用系统命令或脚本代码等外部工具进行处理，以确保转换的绝对准确。违者将导致严重的逻辑错误！" is
awkward; replace the phrase "确保转换的绝对准确" with a clearer form such as "确保转换结果绝对准确"
(preferred) or "确保转换得绝对准确" to remove the 的/得 ambiguity and improve readability
while keeping the rest of the warning intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8f37ea59-80e1-4c60-8c0e-1e1b1523483d

📥 Commits

Reviewing files that changed from the base of the PR and between 51a6ada and 53388c0.

📒 Files selected for processing (10)

• shortcuts/calendar/calendar_agenda.go
• shortcuts/calendar/calendar_create.go
• shortcuts/calendar/calendar_freebusy.go
• shortcuts/calendar/calendar_rsvp.go
• shortcuts/calendar/calendar_suggestion.go
• shortcuts/calendar/calendar_test.go
• shortcuts/calendar/helpers.go
• skills/lark-calendar/SKILL.md
• skills/lark-calendar/references/lark-calendar-agenda.md
• skills/lark-calendar/references/lark-calendar-suggestion.md

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@skills/lark-calendar/SKILL.md`:
- Line 153: Edit the sentence that currently reads
“涉及日期（时间）字符串与时间戳的相互转换时，务必调用系统命令或脚本代码等外部工具进行处理，以确保转换的绝对准确。” and change
“以确保转换的绝对准确” to “以确保转换结果绝对准确” so the phrase is more natural and unambiguous;
update the exact line in SKILL.md where that sentence appears (search for the
original sentence text) and make only this wording tweak.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c470479f-4bba-44ea-a093-b6efc5339aa1

📥 Commits

Reviewing files that changed from the base of the PR and between 53388c0 and 3f848df.

📒 Files selected for processing (10)

• shortcuts/calendar/calendar_agenda.go
• shortcuts/calendar/calendar_create.go
• shortcuts/calendar/calendar_freebusy.go
• shortcuts/calendar/calendar_rsvp.go
• shortcuts/calendar/calendar_suggestion.go
• shortcuts/calendar/calendar_test.go
• shortcuts/calendar/helpers.go
• skills/lark-calendar/SKILL.md
• skills/lark-calendar/references/lark-calendar-agenda.md
• skills/lark-calendar/references/lark-calendar-suggestion.md

✅ Files skipped from review due to trivial changes (3)

• skills/lark-calendar/references/lark-calendar-suggestion.md
• skills/lark-calendar/references/lark-calendar-agenda.md
• shortcuts/calendar/calendar_create.go

🚧 Files skipped from review as they are similar to previous changes (4)

• shortcuts/calendar/calendar_rsvp.go
• shortcuts/calendar/calendar_freebusy.go
• shortcuts/calendar/helpers.go
• shortcuts/calendar/calendar_test.go