feat(base): add identity priority strategy and error handling

[wangqiucheng2bd]

Summary

• Add user-first identity selection strategy with graceful degradation to bot for lark-base SKILL.md
• Add no-retry rule for error code 91403 (permission denied on Base)

Identity priority strategy (section 3.5)

1. Default to --as user for all Base operations
2. On permission error, check if response contains privilege escalation guidance:
   • Yes: guide user through auth login --scope, retry as user after success
   • No: fallback to --as bot once
3. If bot also fails, stop retrying and guide user to resolve permissions

Error code 91403 (section 5)

• No retry on 91403; follow lark-shared permission handling flow

Test plan

• Verify SKILL.md renders correctly
• Confirm identity selection rules are consistent with lark-shared permission flow

Summary by CodeRabbit

• Documentation
  • Clarified default execution as user and prerequisite authorization for user-mode operations.
  • Added structured permission-error handling: immediate stop for non-retry error 91403; guidance to elevate user scope when uplift hints are present; single bot fallback retry, then stop and follow shared permission-handling workflow if it still fails.
  • Restricted bot-first behavior to explicit user request.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Defaults base operations to --as user (requires lark-cli auth login --domain base); on permission failures: stop immediately for error 91403; if response contains escalation hints/permission_violations, guide the user to elevate scope and retry --as user; otherwise retry once as --as bot and, if that fails, route to lark-shared. Bot-first only on explicit user request.

Changes

Cohort / File(s)

Summary

Lark base skill doc skills/lark-base/SKILL.md

Renamed section to “身份选择与权限降级策略”; set default execution to --as user (requires lark-cli auth login --domain base); added permission-error control flow: immediate stop for error 91403; if response contains escalation hints/permission_violations → guide user to elevate scope and retry --as user; otherwise fallback to a single --as bot retry; terminal --as bot failure → route to lark-shared; added 91403 to errors table. (+24/−3)

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Dev / CLI
    participant Auth as lark-cli (auth)
    participant Skill as Skill Runtime
    participant Shared as lark-shared

    Dev->>Auth: lark-cli auth login --domain base
    Dev->>Skill: request --as user
    Skill-->>Dev: permission error (contains escalation hint?)
    alt escalation hint present
      Dev->>Skill: guide user to elevate scope (auth login --scope) and retry --as user
      Skill-->>Dev: success / permission granted
    else no escalation hint and error != 91403
      Dev->>Skill: retry request --as bot (once)
      alt bot success
        Skill-->>Dev: success
      else bot permission error
        Dev->>Shared: route to lark-shared permission-handling flow
      end
    else error is 91403
      Skill-->>Dev: permission error (stop, route to lark-shared)
      Dev->>Shared: route to lark-shared permission-handling flow
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• docs: reorganize lark-base skill guidance #374 — Overlaps on edits to skills/lark-base/SKILL.md and execution-identity / error-recovery behavior.

Suggested labels

documentation

Suggested reviewers

• kongenpei

Poem

🐰 I hopped through rules and nudged the flow,
User first, then bot — one retry to go.
If nine-one-four-oh-three bars the door,
I point to shared paths and hop no more. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description covers all required template sections with clear summaries of changes and a test plan, though test items lack completion status and lack actual test execution evidence.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The PR title accurately describes the main changes: adding an identity priority strategy and error handling (specifically 91403 error handling) for Lark Base operations as documented in the SKILL.md update.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@skills/lark-base/SKILL.md`:
- Around line 267-271: Add an explicit first-branch exception for error code
91403 in the permission-handling flow so it never triggers any retry logic:
update the execution rules in SKILL.md (the permission fallback algorithm around
the “--as user” / “--as bot” retry guidance) to check for code 91403 first and
immediately stop retries/redirect to the lark-shared guidance for resolution,
before the current user-vs-bot retry branching; reference the 91403 rule when
editing the block that currently describes the user fallback, bot one-time
retry, and final stop behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3e8b4fa9-5553-4a07-bda5-f7a42636921a

📥 Commits

Reviewing files that changed from the base of the PR and between e10bf8e and 9c8d210.

📒 Files selected for processing (1)

• skills/lark-base/SKILL.md

[coderabbitai]

♻️ Duplicate comments (1)

skills/lark-base/SKILL.md (1)

267-271: ⚠️ Potential issue | 🟠 Major

91403 no-retry rule is not enforced in the main fallback algorithm.

Line 335 says 91403 must not retry, but Lines 267-271 currently allow a bot fallback retry for permission errors without guidance. This creates conflicting operator instructions. Please add an explicit first-branch exception for 91403 in the execution rules (before any user/bot retry decision).

📋 Suggested doc patch

 1. 所有操作默认先用 `--as user`。
-2. 若 user 身份返回权限错误,检查错误响应中是否包含 `permission_violations` / `hint` 等提权引导信息：
+2. 若 user 身份返回权限错误，先判断是否为 `91403`：
+   - **`91403`**：**不要重试**，直接按 `lark-shared` 权限不足处理流程引导用户解决。
+   - 其他权限错误：再检查错误响应中是否包含 `permission_violations` / `hint` 等提权引导信息：
    - **有提权引导**：按 `lark-shared` 权限不足处理流程，先引导用户完成 user 身份提权（`auth login --scope`）；确认提权成功后，以 `--as user` 重试。
    - **无提权引导**（如资源级无访问权限、非 scope 不足）：切换到 `--as bot` 重试**一次**。

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@skills/lark-base/SKILL.md` around lines 267 - 271, Add an explicit
first-branch exception for error code 91403 before the user/bot retry logic:
detect 91403 immediately and do NOT retry (neither as user nor as bot), instead
stop further retries and invoke the lark-shared permission-resolution flow;
update the execution rules near the "所有操作默认先用 `--as user`" / the user→bot
fallback section so 91403 is checked first and documented as a no-retry rule.

🧹 Nitpick comments (1)

skills/lark-base/SKILL.md (1)

269-269: Consider clarifying where the scope value comes from.

The instruction mentions auth login --scope but doesn't explicitly state that the specific scope should come from the error response's hint or permission_violations fields. While the phrase "按 lark-shared 权限不足处理流程" implies this, making it explicit would reduce ambiguity.

✏️ Optional clarification

-   - **有提权引导**：按 `lark-shared` 权限不足处理流程，先引导用户完成 user 身份提权（`auth login --scope`）；确认提权成功后，以 `--as user` 重试。
+   - **有提权引导**：按 `lark-shared` 权限不足处理流程，根据错误响应中的 `hint` 或 `permission_violations` 字段引导用户完成 user 身份提权（`auth login --scope <具体scope>`）；确认提权成功后，以 `--as user` 重试。

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@skills/lark-base/SKILL.md` at line 269, Clarify that the scope value for the
auth command should be taken from the error response (e.g., the "hint" or
"permission_violations" fields): update the `lark-shared`
insufficient-permission flow text to explicitly say "run `auth login --scope
<scope_from_error>` where <scope_from_error> is the scope shown in the error's
`hint` or `permission_violations`, then confirm elevation and retry with `--as
user`"; reference the existing terms `auth login --scope`, `hint`,
`permission_violations`, and `--as user` so readers know exactly where to obtain
the scope.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@skills/lark-base/SKILL.md`:
- Around line 267-271: Add an explicit first-branch exception for error code
91403 before the user/bot retry logic: detect 91403 immediately and do NOT retry
(neither as user nor as bot), instead stop further retries and invoke the
lark-shared permission-resolution flow; update the execution rules near the
"所有操作默认先用 `--as user`" / the user→bot fallback section so 91403 is checked first
and documented as a no-retry rule.

---

Nitpick comments:
In `@skills/lark-base/SKILL.md`:
- Line 269: Clarify that the scope value for the auth command should be taken
from the error response (e.g., the "hint" or "permission_violations" fields):
update the `lark-shared` insufficient-permission flow text to explicitly say
"run `auth login --scope <scope_from_error>` where <scope_from_error> is the
scope shown in the error's `hint` or `permission_violations`, then confirm
elevation and retry with `--as user`"; reference the existing terms `auth login
--scope`, `hint`, `permission_violations`, and `--as user` so readers know
exactly where to obtain the scope.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a48a5247-86f7-4911-a1ff-9561117de5c4

📥 Commits

Reviewing files that changed from the base of the PR and between 9c8d210 and ba0d7ec.

📒 Files selected for processing (1)

• skills/lark-base/SKILL.md

[coderabbitai]

🧹 Nitpick comments (1)

skills/lark-base/SKILL.md (1)

268-268: Consider clarifying whether 91403 is the only non-retryable error code.

Line 268 uses "不可重试错误码（如 91403）" (non-retryable error codes such as 91403), which suggests there may be multiple non-retryable codes. However, throughout the document only 91403 is mentioned (line 336). If 91403 is currently the only non-retryable error code, consider using more specific wording like "是否为 91403" (whether it is 91403). If other codes exist or are planned, they should be documented in the error table at line 336 for completeness.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@skills/lark-base/SKILL.md` at line 268, Update the wording in the sentence
that currently reads "不可重试错误码（如 `91403`）" to be explicit: if `91403` is the only
non-retryable code, change it to "是否为 `91403`" (or similar) to avoid implying
others; if there are additional non-retryable codes, list them here (or refer to
the error table) and add them to the error table where `91403` is documented so
the set of non-retryable codes is consistent and complete across SKILL.md.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@skills/lark-base/SKILL.md`:
- Line 268: Update the wording in the sentence that currently reads "不可重试错误码（如
`91403`）" to be explicit: if `91403` is the only non-retryable code, change it
to "是否为 `91403`" (or similar) to avoid implying others; if there are additional
non-retryable codes, list them here (or refer to the error table) and add them
to the error table where `91403` is documented so the set of non-retryable codes
is consistent and complete across SKILL.md.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d0a8fe5b-fa5c-498f-8747-a541d1a4478e

📥 Commits

Reviewing files that changed from the base of the PR and between 006e92a and d24b602.

📒 Files selected for processing (1)

• skills/lark-base/SKILL.md

[github-actions]

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@3d01e20d1bd7f1a69321f0503522be12526f7b41

🧩 Skill update

npx skills add wangqiucheng2bd/cli#feat/base-identity-priority-and-error-handling -y -g

[coderabbitai]

🧹 Nitpick comments (1)

skills/lark-base/SKILL.md (1)

267-274: Execution rules correctly implement 91403 first-check, but wording could be more precise.

The logic flow properly enforces the no-retry rule for error code 91403 before any fallback logic, addressing the previous review concern. However, Line 268 uses "不可重试错误码（如 91403）" (non-retryable error codes such as 91403), which suggests there may be multiple codes in this category. If 91403 is currently the only non-retryable error code for Base operations, consider rewording to "不可重试错误码（91403）" for clarity. If additional codes exist, they should be explicitly documented here or referenced.

📝 Suggested clarification

If 91403 is the only non-retryable code:

-2. 若 user 身份返回权限错误，先判断是否为**不可重试错误码**（如 `91403`）。若是，**立即停止**，不做任何重试或降级，直接按 `lark-shared` 权限不足处理流程引导用户解决。
+2. 若 user 身份返回权限错误，先判断是否为**不可重试错误码 `91403`**。若是，**立即停止**，不做任何重试或降级，直接按 `lark-shared` 权限不足处理流程引导用户解决。

If there are other non-retryable codes, list them explicitly:

-2. 若 user 身份返回权限错误，先判断是否为**不可重试错误码**（如 `91403`）。若是，**立即停止**，不做任何重试或降级，直接按 `lark-shared` 权限不足处理流程引导用户解决。
+2. 若 user 身份返回权限错误，先判断是否为**不可重试错误码**（`91403`、`XXXXX` 等）。若是，**立即停止**，不做任何重试或降级，直接按 `lark-shared` 权限不足处理流程引导用户解决。

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@skills/lark-base/SKILL.md` around lines 267 - 274, The wording "不可重试错误码（如
`91403`）" is ambiguous; update the SKILL.md text to either explicitly state the
single non-retryable code as "不可重试错误码（`91403`）" if 91403 is the only one, or
enumerate all non-retryable codes in that clause (e.g., list additional codes)
so the rule is unambiguous; locate and edit the phrase "不可重试错误码（如 `91403`）" in
the execution rules block and replace it accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@skills/lark-base/SKILL.md`:
- Around line 267-274: The wording "不可重试错误码（如 `91403`）" is ambiguous; update the
SKILL.md text to either explicitly state the single non-retryable code as
"不可重试错误码（`91403`）" if 91403 is the only one, or enumerate all non-retryable
codes in that clause (e.g., list additional codes) so the rule is unambiguous;
locate and edit the phrase "不可重试错误码（如 `91403`）" in the execution rules block and
replace it accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 833988c6-a812-4e3a-81bb-2f7e32752630

📥 Commits

Reviewing files that changed from the base of the PR and between d24b602 and 3d01e20.

📒 Files selected for processing (1)

• skills/lark-base/SKILL.md

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@1608f95). Learn more about missing BASE report.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #505   +/-   ##
=======================================
  Coverage        ?   59.05%           
=======================================
  Files           ?      384           
  Lines           ?    32636           
  Branches        ?        0           
=======================================
  Hits            ?    19274           
  Misses          ?    11553           
  Partials        ?     1809           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.