feat(config): lark-channel secret supports SecretInput protocol

[mazhe-nerd]

Align lark-channel source with openclaw's generic SecretInput protocol so
bridge configs can keep secrets out of ~/.lark-channel/config.json.

• internal/binding/lark_channel.go: LarkChannelApp.Secret typed as
  SecretInput (accepts string / "${VAR}" template / {source,id} ref);
  LarkChannelRoot adds optional Secrets *SecretsConfig for exec providers.
• cmd/config/binder.go: larkChannelBinder.Build resolves via
  binding.ResolveSecretInput (same path as openclaw).
• Backward compatible: plain-string secret keeps working unchanged.

Enables three new secret forms for lark-channel users:

• env template "${LARK_APP_SECRET}"
• {source: "env" | "file", ...} refs
• {source: "exec", ...} for AES-decryption scripts

Summary by CodeRabbit

• New Features

  • Added support for environment variable references in Lark channel configuration secrets.

• Improvements

  • Enhanced secret credential handling with unified resolution pipeline.
  • Improved secret validation and keychain storage mechanisms.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR extends lark-channel config handling to support the SecretInput protocol, enabling environment-template and secret-reference secrets. The config schema is updated to include optional secret providers, app secrets now use the SecretInput type, the binder implements proper secret resolution with error hints, and comprehensive tests validate parsing and integration flows.

Changes

Lark-channel secret input protocol integration

Layer / File(s)	Summary
Config schema contract updates internal/binding/lark_channel.go	LarkChannelRoot gains an optional secrets registry field, and LarkChannelApp.secret changes from string to SecretInput type, enabling the config to express both plain-text and reference-based secrets.
Binding logic secret resolution cmd/config/binder.go	larkChannelBinder.Build now validates secrets with IsZero(), resolves them through binding.ResolveSecretInput (matching openclaw behavior), wraps errors with configuration hints, and persists the resolved secret for keychain storage.
Config parsing test coverage internal/binding/lark_channel_test.go	Tests validate plain-text and environment-template secrets as Secret.Plain, executable secret references with populated Secret.Ref and provider configuration, and error handling for invalid secret sources; empty secrets are checked with Secret.IsZero().
Bind integration test with env-template secrets cmd/config/bind_test.go	TestConfigBindRun_LarkChannel_EnvTemplate verifies end-to-end lark-channel binding: sets up a config with an environment-template secret, populates the environment variable, and asserts successful bind execution.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• larksuite/cli#786: Extends the lark-channel bind implementation by introducing SecretInput protocol support (env-templates and secret references) for the app secret field.

Suggested reviewers

• liangshuo-1

Poem

🐰 The lark takes flight with secrets sealed,
No more plaintext left revealed,
Templates dance and refs take hold,
Configuration, brave and bold! 🔐✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 37.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: enabling SecretInput protocol support for lark-channel secrets, which aligns with the primary objective of the changeset.
Description check	✅ Passed	The description provides a clear summary of motivation, lists main changes across affected files, and mentions verification through unit tests, adequately covering the required template sections.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/lark-channel-secret-resolve

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 42.85714% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 65.92%. Comparing base (4a45e00) to head (93a2b6b).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/config/binder.go	42.85%	3 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #912      +/-   ##
==========================================
- Coverage   65.95%   65.92%   -0.04%     
==========================================
  Files         523      523              
  Lines       49590    49692     +102     
==========================================
+ Hits        32707    32758      +51     
- Misses      14090    14134      +44     
- Partials     2793     2800       +7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@93a2b6b3d4e797f200a35491d8dfe870f0e05af0

🧩 Skill update

npx skills add larksuite/cli#feat/lark-channel-secret-resolve -y -g

[coderabbitai]

🧹 Nitpick comments (1)

cmd/config/bind_test.go (1)

414-429: 💤 Low value

Consider verifying the resolved secret value in the keychain.

The test confirms the bind operation succeeds but doesn't verify that the keychain received the resolved environment value "resolved_via_env" rather than the literal template string "${LARK_APP_SECRET}". While this matches the pattern in TestConfigBindRun_OpenClawEnvTemplate (lines 1373-1406), a stronger assertion would load the workspace config and verify the secret was resolved, similar to the approach in TestConfigBindRun_LarkChannel_Success (lines 398-408).

This is optional—the current test does validate the integration contract (bind succeeds with env-template secrets), but explicit verification of the resolved value would increase confidence in the SecretInput resolution pipeline.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/config/bind_test.go` around lines 414 - 429, Update
TestConfigBindRun_LarkChannel_EnvTemplate to also load the saved workspace
config/keychain after calling configBindRun and assert the Lark app secret was
stored as the resolved value "resolved_via_env" (not the literal
"${LARK_APP_SECRET}"). Specifically, after calling
configBindRun(&BindOptions{Factory: f, Source: "lark-channel"}), use the test
Factory (f) to open the workspace or keychain (same approach used in
TestConfigBindRun_LarkChannel_Success) and verify the secret entry for the app
id "cli_lc_env" equals "resolved_via_env"; fail the test if the stored value
does not match.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@cmd/config/bind_test.go`:
- Around line 414-429: Update TestConfigBindRun_LarkChannel_EnvTemplate to also
load the saved workspace config/keychain after calling configBindRun and assert
the Lark app secret was stored as the resolved value "resolved_via_env" (not the
literal "${LARK_APP_SECRET}"). Specifically, after calling
configBindRun(&BindOptions{Factory: f, Source: "lark-channel"}), use the test
Factory (f) to open the workspace or keychain (same approach used in
TestConfigBindRun_LarkChannel_Success) and verify the secret entry for the app
id "cli_lc_env" equals "resolved_via_env"; fail the test if the stored value
does not match.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 71b100fc-bc0e-43c0-aacb-fd74de5526f3

📥 Commits

Reviewing files that changed from the base of the PR and between 5778adf and 93a2b6b.

📒 Files selected for processing (4)

• cmd/config/bind_test.go
• cmd/config/binder.go
• internal/binding/lark_channel.go
• internal/binding/lark_channel_test.go