feat(errs): add structured CLI error contract

[evandance]

Summary

Add a typed error framework. Go callers branch via errors.As(&errs.XxxError{}); shell scripts, AI agents, and protocol adapters branch on stable JSON type / subtype fields instead of regex-parsing free-form messages.

This PR is the framework slice — it adds the package and infrastructure but does not migrate any business call sites. Migration of existing producers to typed errors will be handled uniformly in a follow-up.

What's added

• errs/ package — 9 categories (validation, authentication, authorization, config, network, api, policy, internal, confirmation), one typed struct per category, all embedding a shared RFC 7807-aligned Problem. IsXxx predicates for ergonomic matching.
• Lark code registry (internal/errclass/codemeta.go) — single source of truth mapping Lark numeric codes to {Category, Subtype, Retryable}. Consumed by errclass.BuildAPIError for typed dispatch.
• Typed JSON envelope writer (internal/output/errors.go WriteTypedErrorEnvelope) — emits {ok, identity, error: {type, subtype, code?, message, hint?, log_id?, retryable?, …extension fields}}. Called by cmd/root.go handleRootError ahead of the legacy writer; fires only when the error is a typed *errs.*.

What stays legacy

Most production paths emit the legacy *output.ExitError envelope unchanged:

• output.ErrAPI / output.ErrAuth / output.ErrValidation / output.ErrNetwork / output.ErrWithHint / output.Errorf / output.ErrBare — all still return *output.ExitError and produce the legacy {ok, identity, error: {type, code, message, hint?, detail?}} envelope. errors.As(&output.ExitError{}) still matches.
• APIClient.CheckResponse (used by cmd/api) — still routes Lark API responses through ClassifyLarkError and emits the legacy envelope.
• Business shortcuts (~12 sites under shortcuts/) hand-construct output.ErrAPI(...) — also legacy.
• BuildAPIError is implemented and tested but has no production caller yet.

User-visible wire / exit changes

Only these change in this PR:

• *core.ConfigError exit code 2 → 3. Direct construction-site edit in internal/core/config.go (two Code: 2 sites now Code: 3). Aligns with the "config errors share the auth exit code" taxonomy. errors.As(&core.ConfigError{}) still matches on the unwrap chain.
• APIClient.DoSDKRequest / DoStream / CallAPI now wrap untyped SDK errors at the boundary. Previously, a raw fmt.Errorf escaping the SDK surfaced as plain Error: <msg> (exit 1) at the root dispatcher. It now goes through WrapDoAPIError / WrapJSONResponseParseError, emitting a JSON envelope: type=network (exit 4) for transport-class failures, type=api_error (exit 1) for JSON-decode failures. Already-classified errors (*output.ExitError, *errs.*) pass through unchanged — output.ErrAuth from a missing token still surfaces as type=auth / exit 3 instead of being downgraded to network.

No other production exit code or envelope shape changes in this PR.

Carve-outs

• SecurityPolicyError keeps its custom envelope and exit 1. handleRootError checks errors.As(err, &spErr) first and emits via writeSecurityPolicyError, producing {type: "auth_error", code: "challenge_required"|"access_denied", message, retryable: false, challenge_url?, hint?}. OAuth / policy consumers depend on this shape. Guardrail test: TestHandleRootError_SecurityPolicyKeepsLegacyEnvelope.
• All business output.ErrAPI(...) call sites keep emitting the legacy envelope.

Test Plan

• make unit-test (77 packages, race + gcflags, 0 FAIL)
• validate: go build ./..., go vet ./..., gofmt -l . empty, go mod tidy, golangci-lint run --new-from-rev=origin/main 0 issues, go-licenses check
• sandbox E2E 128 pass / 15 pre-existing env failures (meta-registry --yes flag gap + test-account permission gap; not regressions)
• acceptance-reviewer PASS (0 blockers)
• guardrail tests: TestBuildAPIError_ExitCodeMatrix, TestConsoleURL_EscapesDangerousChars, TestHandleRootError_SecurityPolicyKeepsLegacyEnvelope, TestPromoteConfigError_*, TestDoSDKRequest_AuthFailurePreservesAuthCategory, TestTryHandleMCPResponse_*, TestWrapDoAPIError_LegacyExitErrorPassesThrough

Related Issues

N/A

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds errs/ typed error taxonomy and projections; rewires client/auth/commands/output to produce and envelope typed errors; updates tests accordingly; introduces errclass code meta/classifier; adds lintcheck tool and CI step; adjusts exit code mapping and config-auth promotion; widespread deprecation notes.

Changes

Typed error system and integration

Layer / File(s)	Summary
Core taxonomy and projections errs/*	Introduces typed errors (Problem, types, subtypes), predicates, MCP/OAuth projections, wrapping helpers, and contract docs/tests.
Classification and exit codes internal/errclass/*, internal/output/exitcode*.go, internal/output/lark_errors.go	Maps Lark codes to typed categories/subtypes, builds typed API/permission errors, and derives exit codes from categories.
Client/auth/command wiring internal/client/*, internal/auth/*, cmd/*	Propagates typed errors through SDK, response handling, pagination, root dispatch, and scope hints; converts legacy config/auth to typed forms.
Tests migration cmd/*_test.go, shortcuts/*_test.go, internal/*_test.go	Switches assertions to typed errors, Problem extraction, and ExitCodeOf; adds extensive new tests for classifier/projections.
Lint and CI guardrails internal/lintcheck/*, cmd/lintcheck/main.go, .github/workflows/ci.yml, .golangci.yml	Adds repo scanner enforcing typed-error contract (rules B–E), CLI entrypoint, CI step, and forbidigo rules.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User as CLI User
  participant CLI as CLI Command
  participant Client as APIClient
  participant Class as errclass.Classify
  participant Errs as errs.Typed
  participant Out as output

  User->>CLI: run command
  CLI->>Client: DoSDKRequest/CallAPI
  Client-->>Client: WrapDoAPIError/WrapJSONResponseParseError
  Client->>Class: BuildAPIError(result, identity)
  Class-->>Client: *errs.(API|Permission|... )Error
  Client-->>CLI: return typed error
  CLI->>Errs: ProblemOf / predicates
  CLI->>Out: WriteTypedErrorEnvelope(err, identity)
  Out-->>User: typed stderr JSON + mapped exit code

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Possibly related PRs

• larksuite/cli#294 — Also modifies WrapDriveMediaUploadRequestError to preserve typed errs, intersecting with this PR’s typed error propagation.
• larksuite/cli#776 — Adjusts missing-authorization hinting; this PR migrates that flow to applyNeedAuthorizationHint on typed AuthError.
• larksuite/cli#494 — Touches legacy ClassifyLarkError; this PR refactors it to use errclass.LookupCodeMeta.

Poem

A rabbit taps the console key,
Errors hop as types, now clean and free.
Codes to subtypes, neatly spun,
Envelopes shine—review is done.
Lint checks nibble every vine,
CI burrows: all aligned.
Thump—typed trails, by design.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/error-contract-framework

[coderabbitai]

Actionable comments posted: 12

🧹 Nitpick comments (1)

errs/marshal_test.go (1)

63-64: ⚡ Quick win

Avoid discarding json.Marshal errors in tests.

These tests currently ignore marshal failures, which can create misleading assertions on empty/invalid payloads. Capture and assert err == nil consistently.

Proposed cleanup

- b, _ := json.Marshal(ve)
+ b, err := json.Marshal(ve)
+ if err != nil {
+   t.Fatal(err)
+ }

You can apply the same pattern to each marshal call in this file.

Also applies to: 78-79, 89-90, 108-109, 122-123, 136-137, 147-148, 164-165, 175-176, 193-194, 209-210, 224-225

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@errs/marshal_test.go` around lines 63 - 64, The tests call json.Marshal into
variables like b and then ignore the error (e.g., b, _ := json.Marshal(ve); s :=
string(b)); update each marshal invocation (all occurrences around variables b
and s) to capture the error (b, err := json.Marshal(...)) and add an assertion
that err == nil (use the test helper being used in the file, e.g.,
require.NoError(t, err) or if that framework isn't used, t.Fatalf/if err != nil
{ t.Fatalf(...) }) before converting b to string; apply this pattern to every
marshal call listed (lines near the examples: 63-64, 78-79, 89-90, 108-109,
122-123, 136-137, 147-148, 164-165, 175-176, 193-194, 209-210, 224-225).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/auth/scopes.go`:
- Around line 57-65: The current return in getAppInfo unconditionally wraps any
error as *errs.PermissionError (using errs.Problem/SubtypeAppScopeNotEnabled),
which hides the original error type and subtype; change the logic in getAppInfo
to detect and preserve non-permission errors (e.g., if err is already an
*errs.Error/*errs.Problem or not related to app-scope authorization) and only
construct and return a new *errs.PermissionError when the failure is truly an
authorization/app-scope issue; reference the existing symbols
errs.PermissionError, errs.Problem, errs.SubtypeAppScopeNotEnabled and the
getAppInfo call site to implement a type-check/inspect-and-branch so other
failure categories (network/auth/internal) are returned unchanged.

In `@cmd/lintcheck/main.go`:
- Around line 41-50: The CLI-provided root path is used without validation; call
validate.SafeInputPath on the resolved root (the local variable root) before
passing it to lintcheck.ScanRepo, handle the error returned (log or exit
appropriately) and only call lintcheck.ScanRepo with the validated/clean path;
update the code around the root variable and the lintcheck.ScanRepo call to use
the validated path and error handling to enforce path-safety.

In `@errs/subtypes_service_task.go`:
- Line 10: Update the header comment in errs/subtypes_service_task.go to point
to the correct consumer path: replace the incorrect reference to
internal/output/codemeta_task.go with internal/errclass/codemeta_task.go so the
comment accurately states where these task service subtypes are consumed; ensure
the comment text around "Task service subtypes" and any mention of
codemeta_task.go is updated accordingly.

In `@internal/client/pagination.go`:
- Around line 31-34: The fallback for identity currently sets identity :=
pagOpts.Identity and then defaults to core.AsUser if empty, which ignores
request.As; update the logic so identity is determined by checking
pagOpts.Identity first, then request.As, and only then defaulting to core.AsUser
(i.e., set identity = pagOpts.Identity if non-empty, else use request.As if
non-empty, else core.AsUser) so that checkErr and related metadata use the
correct request identity.

In `@internal/errcompat/promote.go`:
- Around line 27-29: PromoteConfigError currently dereferences cfgErr without
checking for nil; add a nil guard at the start of PromoteConfigError (the
function that accepts *core.ConfigError) and return nil (or a sensible error)
immediately if cfgErr is nil to avoid a panic, then proceed to inspect
cfgErr.Type and construct errs.AuthError / other error types as before.

In `@internal/lintcheck/rules.go`:
- Around line 125-126: The condition that tries to match RegisterServiceMap
variants misses names with infixes; update the callee check in the lint rule
(where the variable callee is compared alongside mergeCodeMeta) to use
strings.Contains(callee, "RegisterServiceMap") instead of
strings.HasPrefix/HasSuffix so any name containing "RegisterServiceMap" (e.g.,
FooRegisterServiceMapBar) is detected; keep the equality check for
"mergeCodeMeta" intact and replace only the RegisterServiceMap prefix/suffix
logic in the function in internal/lintcheck/rules.go.
- Around line 77-80: The rule currently flags any type whose name ends with
"Error" (using typeSpec.Name.Name); change it to only apply to exported Error
types by first ensuring the identifier is exported (e.g., check that the name is
non-empty and its first rune is uppercase or use a proper IsExported helper)
before applying the strings.HasSuffix(name, "Error") test, so unexported
"*Error" structs are ignored; update the condition around typeSpec.Name.Name to
return true for non-exported names and only run the suffix check for exported
identifiers.

In `@internal/lintcheck/scan.go`:
- Around line 28-29: The ScanRepo function currently consumes the CLI-controlled
root path directly (used with filepath.Join and directory walking); validate the
repository root by calling validate.SafeInputPath(root) at the start of ScanRepo
and return a clear error if validation fails before calling
LoadSubtypeAllowlists or performing any file system operations; apply the same
safe-path gate to any other functions in this file that accept a root/path (the
block referenced around the LoadSubtypeAllowlists use and the code region
covering the later scan logic) so all file reads/walks only occur after
validate.SafeInputPath has approved the input.
- Around line 41-43: Replace all direct os.* filesystem calls in scan.go with
the vfs equivalents to preserve test-mocking: change os.Stat -> vfs.Stat,
os.ReadDir -> vfs.ReadDir, os.ReadFile -> vfs.ReadFile and os.IsNotExist ->
vfs.IsNotExist, update the import to use the vfs package, and keep existing
error branches (e.g., the else-if that currently reads "!os.IsNotExist(err)")
but using vfs.IsNotExist(err) so behavior is identical while enabling vfs-based
tests; apply the same replacements for every occurrence noted (the blocks using
os.Stat, os.ReadDir, os.ReadFile and os.IsNotExist).
- Around line 311-315: CheckErrsContract is currently collecting any struct
whose name ends with "Error" (via the loop that inspects
d.Type.(*ast.StructType) and uses d.Name.Name) including unexported/internal
types; modify that logic to only register exported error types by adding an
exported-name check (e.g., use ast.IsExported(d.Name.Name) or test the first
rune is upper-case) before writing into typedErrors so only exported "*Error"
structs are added; keep the existing typedErrors map and fset.Position(d.Pos())
usage unchanged.
- Around line 29-34: The code currently treats any error from
LoadSubtypeAllowlists as "missing files" and silently disables Rule E; instead,
call LoadSubtypeAllowlists(root+"/errs") and if err is nil proceed, if
errors.Is(err, os.ErrNotExist) (or os.IsNotExist(err) / errors.Is(err,
fs.ErrNotExist) depending on imports) then set allowlist/nameset = nil to skip
Rule E, otherwise propagate or return the error (or log and fail CI) so genuine
parse/read failures are not swallowed; reference the LoadSubtypeAllowlists call
and the allowlist/nameset variables to locate where to add the is-not-exist
check and error propagation.

In `@internal/output/errors.go`:
- Around line 202-204: The code currently returns true when enc.Encode(env)
fails (encErr), which wrongly signals the envelope was written and suppresses
fallback; change the behavior so that on enc.Encode(env) error you do not report
"written" — e.g., handle or log encErr as appropriate and return false (or
propagate the error) instead of returning true; make this change where
enc.Encode(env) is called (variables enc, env, encErr).

---

Nitpick comments:
In `@errs/marshal_test.go`:
- Around line 63-64: The tests call json.Marshal into variables like b and then
ignore the error (e.g., b, _ := json.Marshal(ve); s := string(b)); update each
marshal invocation (all occurrences around variables b and s) to capture the
error (b, err := json.Marshal(...)) and add an assertion that err == nil (use
the test helper being used in the file, e.g., require.NoError(t, err) or if that
framework isn't used, t.Fatalf/if err != nil { t.Fatalf(...) }) before
converting b to string; apply this pattern to every marshal call listed (lines
near the examples: 63-64, 78-79, 89-90, 108-109, 122-123, 136-137, 147-148,
164-165, 175-176, 193-194, 209-210, 224-225).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 715761fd-2c37-462e-a0fb-fb08f53b8426

📥 Commits

Reviewing files that changed from the base of the PR and between 69c3448 and 255fc10.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (79)

• .github/workflows/ci.yml
• .golangci.yml
• cmd/api/api.go
• cmd/api/api_test.go
• cmd/auth/scopes.go
• cmd/config/bind_test.go
• cmd/config/config_test.go
• cmd/error_auth_hint.go
• cmd/event/runtime.go
• cmd/lintcheck/main.go
• cmd/root.go
• cmd/root_integration_test.go
• cmd/root_test.go
• cmd/service/service.go
• cmd/service/service_test.go
• errs/category.go
• errs/category_test.go
• errs/doc.go
• errs/internal_carrier.go
• errs/marshal_test.go
• errs/predicates.go
• errs/predicates_test.go
• errs/problem.go
• errs/problem_test.go
• errs/projection/mcp.go
• errs/projection/mcp_test.go
• errs/projection/oauth.go
• errs/projection/oauth_test.go
• errs/subtypes.go
• errs/subtypes_service_task.go
• errs/types.go
• errs/types_test.go
• errs/wrap.go
• errs/wrap_test.go
• go.mod
• internal/auth/errors.go
• internal/auth/transport.go
• internal/auth/uat_client.go
• internal/client/api_errors.go
• internal/client/api_errors_test.go
• internal/client/client.go
• internal/client/client_test.go
• internal/client/pagination.go
• internal/client/response.go
• internal/client/response_test.go
• internal/cmdutil/json.go
• internal/core/config.go
• internal/core/errors.go
• internal/core/notconfigured.go
• internal/errclass/classify.go
• internal/errclass/classify_test.go
• internal/errclass/codemeta.go
• internal/errclass/codemeta_task.go
• internal/errclass/codemeta_test.go
• internal/errcompat/promote.go
• internal/errcompat/promote_test.go
• internal/lintcheck/rules.go
• internal/lintcheck/rules_test.go
• internal/lintcheck/scan.go
• internal/lintcheck/scan_test.go
• internal/lintcheck/typecheck.go
• internal/lintcheck/typecheck_test.go
• internal/output/errors.go
• internal/output/exitcode.go
• internal/output/exitcode_test.go
• internal/output/lark_errors.go
• shortcuts/base/base_execute_test.go
• shortcuts/calendar/calendar_test.go
• shortcuts/common/drive_media_upload.go
• shortcuts/common/drive_media_upload_test.go
• shortcuts/common/mcp_client_test.go
• shortcuts/drive/drive_status_test.go
• shortcuts/mail/mail_shortcut_validation_test.go
• shortcuts/markdown/helpers.go
• shortcuts/markdown/markdown_diff_test.go
• shortcuts/task/task_body_test.go
• shortcuts/task/task_query_helpers_test.go
• shortcuts/task/task_upload_attachment_test.go
• shortcuts/task/task_util_test.go

💤 Files with no reviewable changes (1)

• cmd/error_auth_hint.go

[github-actions]

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@579b037c7a9a1ffd93a328022017774f38cf3750

🧩 Skill update

npx skills add larksuite/cli#feat/error-contract-framework -y -g

[codecov]

Codecov Report

❌ Patch coverage is 67.35113% with 159 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.92%. Comparing base (e93e2a9) to head (579b037).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/output/lark_errors.go	47.27%	28 Missing and 1 partial ⚠️
internal/errclass/classify.go	82.48%	20 Missing and 4 partials ⚠️
internal/output/errors.go	0.00%	23 Missing ⚠️
cmd/service/service.go	34.48%	17 Missing and 2 partials ⚠️
internal/auth/transport.go	63.33%	10 Missing and 1 partial ⚠️
internal/auth/uat_client.go	0.00%	11 Missing ⚠️
internal/client/pagination.go	0.00%	8 Missing ⚠️
cmd/error_auth_hint.go	62.50%	3 Missing and 3 partials ⚠️
cmd/root.go	68.42%	3 Missing and 3 partials ⚠️
errs/predicates.go	81.25%	6 Missing ⚠️
... and 7 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #984      +/-   ##
==========================================
+ Coverage   67.91%   67.92%   +0.01%     
==========================================
  Files         592      601       +9     
  Lines       55410    55762     +352     
==========================================
+ Hits        37631    37876     +245     
- Misses      14669    14751      +82     
- Partials     3110     3135      +25     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

internal/auth/uat_client.go (1)

250-267: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Reclassify the second refresh response before fallback token-clear.

On Line 260-Line 267, after the retry call you only check “failed or not” and then clear token. If the second response is a policy block, the function drops challenge_url/typed policy context and returns nil, which breaks the policy carve-out behavior.

Suggested patch

 			code = getInt(data, "code", -1)
 			errStr = getStr(data, "error")
 			if (code != -1 && code != 0) || errStr != "" {
+				if meta2, ok2 := errclass.LookupCodeMeta(code); ok2 && meta2.Category == errs.CategoryPolicy {
+					return nil, &errs.SecurityPolicyError{
+						Problem: errs.Problem{
+							Category: errs.CategoryPolicy,
+							Subtype:  meta2.Subtype,
+							Code:     code,
+							Message:  getStr(data, "error_description"),
+							Hint:     getStr(data, "cli_hint"),
+						},
+						ChallengeURL: getStr(data, "challenge_url"),
+					}
+				}
 				fmt.Fprintf(errOut, "[lark-cli] [WARN] uat-client: refresh failed after retry (code=%d) for %s, clearing token\n", code, opts.UserOpenId)
 				if err := RemoveStoredToken(opts.AppId, opts.UserOpenId); err != nil {
 					fmt.Fprintf(errOut, "[lark-cli] [WARN] uat-client: failed to remove token: %v\n", err)
 				}
 				return nil, nil
 			}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/auth/uat_client.go` around lines 250 - 267, After the retry call in
the refresh path (inside the metaOK && meta.Category ==
errs.CategoryAuthentication && meta.Retryable block around callEndpoint and
RemoveStoredToken), reclassify the second response before deciding to clear the
token: parse the returned data into the same error/meta representation you used
originally (i.e., recompute meta/category from data after callEndpoint), and if
the reclassified meta indicates a policy block (errs.CategoryPolicy or a
presence of challenge_url/typed policy context) return the data so the caller
can handle the policy flow instead of clearing the token; only clear the stored
token when the reclassified response is still an authentication
failure/retryable auth error. Ensure you reference the existing
variables/functions used there (callEndpoint, code/getInt, errStr/getStr, meta,
RemoveStoredToken) so you reuse the same classification logic.

♻️ Duplicate comments (2)

cmd/auth/scopes.go (1)

57-65: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Preserve getAppInfo's original typed failures instead of always converting to PermissionError.

This branch rewrites every failure into *errs.PermissionError, so non-permission failures (e.g., network errors, authentication failures, internal errors) lose their original subtype and produce incorrect exit codes/hints. For example, a network timeout would incorrectly tell the user to "ensure the app has enabled the application:application:self_manage scope."

🐛 Proposed fix — preserve original error types

 	appInfo, err := getAppInfo(opts.Ctx, f, config.AppID)
 	if err != nil {
+		// Preserve typed errors (network, auth, etc.) — only wrap unknown
+		// errors as permission failures when we're confident the cause is
+		// scope-related.
+		var perm *errs.PermissionError
+		if errors.As(err, &perm) {
+			if perm.ConsoleURL == "" {
+				perm.ConsoleURL = errclass.ConsoleURL(string(config.Brand), config.AppID, nil)
+			}
+			return perm
+		}
+		// If it's already a typed error, return as-is
+		if _, ok := errs.UnwrapTypedError(err); ok {
+			return err
+		}
+		// Only wrap truly unknown errors as permission failures
 		return &errs.PermissionError{
 			Problem: errs.Problem{
 				Category: errs.CategoryAuthorization,

Add the "errors" import at the top of the file.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/auth/scopes.go` around lines 57 - 65, The code currently converts all
failures from getAppInfo into a new *errs.PermissionError; instead, detect and
preserve typed errors from getAppInfo (use errors.As or errors.Is) and only
construct a PermissionError when the underlying error is not already an errs.*
type that should be propagated; add the "errors" import, attempt errors.As(err,
&var) to see if err is already an *errs.PermissionError (or other errs.* types)
and return it directly, otherwise build and return the PermissionError with the
same message/hint/ConsoleURL as before.

internal/output/errors.go (1)

202-204: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Do not report "written" when typed envelope encoding fails.

Returning true here signals success to the caller, but encoding actually failed and nothing was written. This can suppress fallback handling while emitting nothing to the user.

🐛 Proposed fix

 	if encErr := enc.Encode(env); encErr != nil {
-		return true // pretend written; we still consumed the typed error
+		return false
 	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/output/errors.go` around lines 202 - 204, The code currently returns
true when enc.Encode(env) fails, incorrectly signaling success; change the
branch handling enc.Encode(env) in the envelope write/emit function (the block
that checks "if encErr := enc.Encode(env); encErr != nil") to return false
(and/or propagate the actual error up if the surrounding function supports an
error return) so failure to encode does not claim the envelope was written and
callers can perform fallback/error handling.

🧹 Nitpick comments (2)

shortcuts/task/task_body_test.go (1)

71-80: ⚡ Quick win

wantSubstr expectations are currently not asserted.

Line 71 and Line 138 validate code/category, but the table’s wantSubstr is never checked, so message regressions won’t be caught.

Proposed patch

@@
 			if string(p.Category) != tt.wantType {
 				t.Errorf("error type = %q, want %q (err = %v)", p.Category, tt.wantType, err)
 			}
+			if tt.wantSubstr != "" && !strings.Contains(err.Error(), tt.wantSubstr) {
+				t.Errorf("error = %q, want substring %q", err.Error(), tt.wantSubstr)
+			}
 		})
 	}
 }
@@
 			if string(p.Category) != tt.wantType {
 				t.Errorf("error type = %q, want %q (err = %v)", p.Category, tt.wantType, err)
 			}
+			if tt.wantSubstr != "" && !strings.Contains(err.Error(), tt.wantSubstr) {
+				t.Errorf("error = %q, want substring %q", err.Error(), tt.wantSubstr)
+			}
 		})
 	}
 }

Also applies to: 138-147

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@shortcuts/task/task_body_test.go` around lines 71 - 80, Tests currently check
ExitCodeOf(err) and errs.ProblemOf(err)/p.Category but never assert the table's
tt.wantSubstr, so add an assertion that the error message contains tt.wantSubstr
after the existing checks: use err.Error() (or fmt.Sprintf("%v", err)) and
t.Errorf when tt.wantSubstr is non-empty and not a substring. Apply the same
change in the other test block that uses output.ExitCodeOf and errs.ProblemOf
(the block around lines 138-147) so both places assert the message contains
tt.wantSubstr.

internal/lintcheck/rules.go (1)

259-259: 💤 Low value

Consider compiling the regex once at package level.

The ad_hoc_* regex is recompiled on every call to scanSubtype. For a linting tool that processes many files, this adds unnecessary overhead.

♻️ Proposed refactor

+var adHocRe = regexp.MustCompile(`^ad_hoc_[a-z0-9_]+$`)
+
 func scanSubtype(path, src string, allowlist, nameset map[string]struct{}, scope *TypedScope, absPath string) ([]Violation, error) {
 	fset := token.NewFileSet()
 	file, err := parser.ParseFile(fset, path, src, parser.ParseComments)
 	if err != nil {
 		return nil, err
 	}
-	adHoc := regexp.MustCompile(`^ad_hoc_[a-z0-9_]+$`)
+	adHoc := adHocRe
 	var out []Violation

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/lintcheck/rules.go` at line 259, The regex
`regexp.MustCompile(\`^ad_hoc_[a-z0-9_]+$\`)` is being compiled inside
scanSubtype on every call; move it to a package-level variable (e.g., declare
var adHoc = regexp.MustCompile(`^ad_hoc_[a-z0-9_]+$`) at top-level) and update
scanSubtype to reuse that adHoc variable so the pattern is compiled once for the
whole process.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/service/service.go`:
- Around line 288-291: The call to ac.DoAPI in serviceMethodRun (RunE) returns
raw errors from the credential/auth chain (e.g.,
DefaultTokenProvider.ResolveToken, auth.GetValidAccessToken) which must be
converted to typed output errors; modify the code around the ac.DoAPI call so
any non-nil err is wrapped using the same output.* error types used elsewhere
(for example reuse WrapDoAPIError-style wrapping or create an output-specific
wrapper) before returning from RunE, ensuring resolveAccessToken and any
DoAPI-originated errors never propagate as untyped errors.

In `@errs/predicates.go`:
- Around line 12-17: ProblemOf currently returns ok=true even when the
underlying Problem pointer is nil, causing callers (e.g., CategoryOf,
IsRetryable) to dereference nil; update ProblemOf to check the returned *Problem
from c.ProblemDetail() and only return (p, true) when p != nil, otherwise return
(nil, false). Apply the same defensive pattern to the other similar helper(s)
that call problemCarrier.ProblemDetail() (such as the functions handling
category/retry checks) so they never signal ok=true with a nil *Problem.

In `@errs/problem.go`:
- Around line 29-30: The Error method for type *Problem should guard against a
nil receiver to avoid panics when a nil *Problem is stored in an error
interface; modify (*Problem).Error() to check if p == nil and return an
appropriate string (e.g., "" or "<nil>") instead of dereferencing p.Message,
keeping the rest of the behavior unchanged and leaving ProblemDetail() as-is.

---

Outside diff comments:
In `@internal/auth/uat_client.go`:
- Around line 250-267: After the retry call in the refresh path (inside the
metaOK && meta.Category == errs.CategoryAuthentication && meta.Retryable block
around callEndpoint and RemoveStoredToken), reclassify the second response
before deciding to clear the token: parse the returned data into the same
error/meta representation you used originally (i.e., recompute meta/category
from data after callEndpoint), and if the reclassified meta indicates a policy
block (errs.CategoryPolicy or a presence of challenge_url/typed policy context)
return the data so the caller can handle the policy flow instead of clearing the
token; only clear the stored token when the reclassified response is still an
authentication failure/retryable auth error. Ensure you reference the existing
variables/functions used there (callEndpoint, code/getInt, errStr/getStr, meta,
RemoveStoredToken) so you reuse the same classification logic.

---

Duplicate comments:
In `@cmd/auth/scopes.go`:
- Around line 57-65: The code currently converts all failures from getAppInfo
into a new *errs.PermissionError; instead, detect and preserve typed errors from
getAppInfo (use errors.As or errors.Is) and only construct a PermissionError
when the underlying error is not already an errs.* type that should be
propagated; add the "errors" import, attempt errors.As(err, &var) to see if err
is already an *errs.PermissionError (or other errs.* types) and return it
directly, otherwise build and return the PermissionError with the same
message/hint/ConsoleURL as before.

In `@internal/output/errors.go`:
- Around line 202-204: The code currently returns true when enc.Encode(env)
fails, incorrectly signaling success; change the branch handling enc.Encode(env)
in the envelope write/emit function (the block that checks "if encErr :=
enc.Encode(env); encErr != nil") to return false (and/or propagate the actual
error up if the surrounding function supports an error return) so failure to
encode does not claim the envelope was written and callers can perform
fallback/error handling.

---

Nitpick comments:
In `@internal/lintcheck/rules.go`:
- Line 259: The regex `regexp.MustCompile(\`^ad_hoc_[a-z0-9_]+$\`)` is being
compiled inside scanSubtype on every call; move it to a package-level variable
(e.g., declare var adHoc = regexp.MustCompile(`^ad_hoc_[a-z0-9_]+$`) at
top-level) and update scanSubtype to reuse that adHoc variable so the pattern is
compiled once for the whole process.

In `@shortcuts/task/task_body_test.go`:
- Around line 71-80: Tests currently check ExitCodeOf(err) and
errs.ProblemOf(err)/p.Category but never assert the table's tt.wantSubstr, so
add an assertion that the error message contains tt.wantSubstr after the
existing checks: use err.Error() (or fmt.Sprintf("%v", err)) and t.Errorf when
tt.wantSubstr is non-empty and not a substring. Apply the same change in the
other test block that uses output.ExitCodeOf and errs.ProblemOf (the block
around lines 138-147) so both places assert the message contains tt.wantSubstr.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ee39d5f2-560e-4ec5-a762-b57943afc3b9

📥 Commits

Reviewing files that changed from the base of the PR and between 255fc10 and 24b4a47.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (80)

• .github/workflows/ci.yml
• .golangci.yml
• cmd/api/api.go
• cmd/api/api_test.go
• cmd/auth/scopes.go
• cmd/config/bind_test.go
• cmd/config/config_test.go
• cmd/error_auth_hint.go
• cmd/event/runtime.go
• cmd/lintcheck/main.go
• cmd/root.go
• cmd/root_integration_test.go
• cmd/root_test.go
• cmd/service/service.go
• cmd/service/service_test.go
• errs/category.go
• errs/category_test.go
• errs/doc.go
• errs/internal_carrier.go
• errs/marshal_test.go
• errs/predicates.go
• errs/predicates_test.go
• errs/problem.go
• errs/problem_test.go
• errs/projection/mcp.go
• errs/projection/mcp_test.go
• errs/projection/oauth.go
• errs/projection/oauth_test.go
• errs/subtypes.go
• errs/subtypes_service_task.go
• errs/types.go
• errs/types_test.go
• errs/wrap.go
• errs/wrap_test.go
• go.mod
• internal/auth/errors.go
• internal/auth/transport.go
• internal/auth/transport_test.go
• internal/auth/uat_client.go
• internal/client/api_errors.go
• internal/client/api_errors_test.go
• internal/client/client.go
• internal/client/client_test.go
• internal/client/pagination.go
• internal/client/response.go
• internal/client/response_test.go
• internal/cmdutil/json.go
• internal/core/config.go
• internal/core/errors.go
• internal/core/notconfigured.go
• internal/errclass/classify.go
• internal/errclass/classify_test.go
• internal/errclass/codemeta.go
• internal/errclass/codemeta_task.go
• internal/errclass/codemeta_test.go
• internal/errcompat/promote.go
• internal/errcompat/promote_test.go
• internal/lintcheck/rules.go
• internal/lintcheck/rules_test.go
• internal/lintcheck/scan.go
• internal/lintcheck/scan_test.go
• internal/lintcheck/typecheck.go
• internal/lintcheck/typecheck_test.go
• internal/output/errors.go
• internal/output/exitcode.go
• internal/output/exitcode_test.go
• internal/output/lark_errors.go
• shortcuts/base/base_execute_test.go
• shortcuts/calendar/calendar_test.go
• shortcuts/common/drive_media_upload.go
• shortcuts/common/drive_media_upload_test.go
• shortcuts/common/mcp_client_test.go
• shortcuts/drive/drive_status_test.go
• shortcuts/mail/mail_shortcut_validation_test.go
• shortcuts/markdown/helpers.go
• shortcuts/markdown/markdown_diff_test.go
• shortcuts/task/task_body_test.go
• shortcuts/task/task_query_helpers_test.go
• shortcuts/task/task_upload_attachment_test.go
• shortcuts/task/task_util_test.go

💤 Files with no reviewable changes (1)

• cmd/error_auth_hint.go

✅ Files skipped from review due to trivial changes (6)

• errs/internal_carrier.go
• shortcuts/base/base_execute_test.go
• errs/wrap.go
• internal/core/errors.go
• errs/subtypes_service_task.go
• errs/doc.go

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (3)

cmd/auth/scopes.go (1)

57-65: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Preserve non-authorization failures from getAppInfo instead of always remapping.

This branch rewrites every getAppInfo failure into *errs.PermissionError, which masks original network/auth/internal error types and can break downstream errors.As branching and exit-code expectations. Only map true app-scope authorization failures; return other error types unchanged.

Suggested minimal fix

+import "errors"
@@
 	appInfo, err := getAppInfo(opts.Ctx, f, config.AppID)
 	if err != nil {
-		return &errs.PermissionError{
-			Problem: errs.Problem{
-				Category: errs.CategoryAuthorization,
-				Subtype:  errs.SubtypeAppScopeNotEnabled,
-				Message:  fmt.Sprintf("failed to get app scope info: %v", err),
-				Hint:     "ensure the app has enabled the application:application:self_manage scope.",
-			},
-			ConsoleURL: errclass.ConsoleURL(string(config.Brand), config.AppID, nil),
-		}
+		var perm *errs.PermissionError
+		if errors.As(err, &perm) {
+			if perm.Subtype == errs.SubtypeAppScopeNotEnabled && perm.ConsoleURL == "" {
+				perm.ConsoleURL = errclass.ConsoleURL(string(config.Brand), config.AppID, nil)
+			}
+			return perm
+		}
+		return err
 	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/auth/scopes.go` around lines 57 - 65, The current code unconditionally
wraps any error from getAppInfo into an errs.PermissionError
(SubtypeAppScopeNotEnabled), which hides non-authorization failures; change the
logic in the caller of getAppInfo (the scope-checking path that currently
returns &errs.PermissionError{...}) to inspect the original error returned by
getAppInfo and only construct and return an errs.PermissionError when the error
clearly indicates the app-scope authorization issue (e.g., match or use an
exported sentinel, error type, or check for a specific error string/condition
that denotes app scope not enabled); for all other errors returned by
getAppInfo, return the original error unchanged so callers can still
errors.As/handle exit codes correctly.

errs/problem.go (1)

29-29: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Guard nil receivers in (*Problem).Error() to avoid panic.

A nil *Problem stored in an error interface will panic when Error() dereferences p.Message.

Suggested minimal fix

-func (p *Problem) Error() string           { return p.Message }
+func (p *Problem) Error() string {
+	if p == nil {
+		return ""
+	}
+	return p.Message
+}

#!/bin/bash
# Verify current implementation lacks a nil guard in errs/problem.go
rg -n -A4 -B1 'func \(p \*Problem\) Error\(\) string' errs/problem.go
rg -n 'if p == nil' errs/problem.go

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@errs/problem.go` at line 29, The Error method on type (*Problem) should guard
against a nil receiver to avoid panics when a nil *Problem is stored in an error
interface; update the method (func (p *Problem) Error()) to check if p == nil
and return a safe string (e.g. an empty string or "<nil>") instead of
dereferencing p.Message, otherwise return p.Message as before so callers never
panic.

cmd/lintcheck/main.go (1)

41-50: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Validate the CLI-supplied repo root before scanning.

root is user-controlled input and is passed to lintcheck.ScanRepo without validate.SafeInputPath, which bypasses the repo’s path-safety guardrail for untrusted arguments.

Suggested minimal fix

 import (
 	"flag"
 	"fmt"
 	"os"
 
+	"github.com/larksuite/cli/internal/validate"
 	"github.com/larksuite/cli/internal/lintcheck"
 )
@@
 	if flag.NArg() > 0 {
 		root = flag.Arg(0)
@@
 		}
 	}
+	if err := validate.SafeInputPath(root); err != nil {
+		fmt.Fprintf(os.Stderr, "lintcheck: invalid repo root: %v\n", err)
+		os.Exit(2)
+	}
 
 	violations, err := lintcheck.ScanRepo(root)

As per coding guidelines: Validate paths before reading with validate.SafeInputPath because CLI arguments are untrusted.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/lintcheck/main.go` around lines 41 - 50, The CLI-provided root variable
is untrusted and is passed directly to lintcheck.ScanRepo which bypasses
path-safety checks; validate the path using validate.SafeInputPath (call it on
root after parsing/normalizing "./...") and handle its returned error (log and
exit) before calling lintcheck.ScanRepo so only safe paths are scanned; update
the main function to replace the direct use of root with the validated path and
propagate any validation error to prevent calling lintcheck.ScanRepo with unsafe
input.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/root.go`:
- Around line 203-212: Update the dispatch-order comment to reflect the actual
handler flow: state that errs.SecurityPolicyError is routed to
writeSecurityPolicyError before the typed-envelope path, and adjust the ordering
so that (1) core.ConfigError is promoted/handled as described, (2)
errs.SecurityPolicyError is handled by writeSecurityPolicyError, (3) other typed
errors from errs/ (e.g. *errs.PermissionError, *errs.APIError) are routed to the
typed envelope writer using errs.CategoryOf/ExitCodeOf, and (4) legacy
*output.ExitError is written as-is; mention the preservation of the original
core.ConfigError on the Cause chain as before.

In `@internal/lintcheck/rules.go`:
- Around line 573-576: The service-scope detection in rules.go currently treats
all internal/* packages as service scope except internal/errclass; add an
explicit exclusion for internal/output so it does not count as service scope and
avoids Rule C false positives. Update the branching that checks package path p
(the cases referencing "internal/errclass" and "internal/") to first check for
"internal/output" (e.g., strings.HasPrefix(p, "internal/output/") ||
strings.Contains(p, "/internal/output/")) and return false for that case before
the general internal/* case so internal/output is excluded from isServiceScope
checks.

In `@shortcuts/task/task_body_test.go`:
- Around line 71-80: The test removed assertions that verify the error message
branch (wantSubstr), allowing false positives; restore a check after obtaining p
from errs.ProblemOf(err) to assert that the produced problem message (e.g.,
p.Message or string(err) depending on how the test reads the message) contains
tt.wantSubstr, using the same pattern in both places (the block around
output.ExitCodeOf/errs.ProblemOf and the similar block at the later occurrence).
Ensure you reference output.ExitCodeOf(err), errs.ProblemOf(err), and p.Category
when adding the assertion so the test fails if the wrong validation branch is
returned even when category/code remains "validation".

In `@shortcuts/task/task_util_test.go`:
- Around line 47-56: The test removed the assertion that the returned error
message contains the expected substring (wantSubstr), so restore an assertion
after the typed error check that verifies the error text includes tt.wantSubstr
(e.g., using strings.Contains(err.Error(), tt.wantSubstr) or
strings.Contains(p.Message, tt.wantSubstr) depending on the Problem type); add
the strings import if needed and fail the test with t.Errorf or t.Fatalf when
the substring is missing so branch-level validation reasons are covered.

---

Duplicate comments:
In `@cmd/auth/scopes.go`:
- Around line 57-65: The current code unconditionally wraps any error from
getAppInfo into an errs.PermissionError (SubtypeAppScopeNotEnabled), which hides
non-authorization failures; change the logic in the caller of getAppInfo (the
scope-checking path that currently returns &errs.PermissionError{...}) to
inspect the original error returned by getAppInfo and only construct and return
an errs.PermissionError when the error clearly indicates the app-scope
authorization issue (e.g., match or use an exported sentinel, error type, or
check for a specific error string/condition that denotes app scope not enabled);
for all other errors returned by getAppInfo, return the original error unchanged
so callers can still errors.As/handle exit codes correctly.

In `@cmd/lintcheck/main.go`:
- Around line 41-50: The CLI-provided root variable is untrusted and is passed
directly to lintcheck.ScanRepo which bypasses path-safety checks; validate the
path using validate.SafeInputPath (call it on root after parsing/normalizing
"./...") and handle its returned error (log and exit) before calling
lintcheck.ScanRepo so only safe paths are scanned; update the main function to
replace the direct use of root with the validated path and propagate any
validation error to prevent calling lintcheck.ScanRepo with unsafe input.

In `@errs/problem.go`:
- Line 29: The Error method on type (*Problem) should guard against a nil
receiver to avoid panics when a nil *Problem is stored in an error interface;
update the method (func (p *Problem) Error()) to check if p == nil and return a
safe string (e.g. an empty string or "<nil>") instead of dereferencing
p.Message, otherwise return p.Message as before so callers never panic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e28fc312-4b4c-4fca-9c42-735cfc58ed34

📥 Commits

Reviewing files that changed from the base of the PR and between 24b4a47 and 661c2a3.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (81)

• .github/workflows/ci.yml
• .golangci.yml
• cmd/api/api.go
• cmd/api/api_test.go
• cmd/auth/scopes.go
• cmd/config/bind_test.go
• cmd/config/config_test.go
• cmd/error_auth_hint.go
• cmd/event/runtime.go
• cmd/lintcheck/main.go
• cmd/root.go
• cmd/root_integration_test.go
• cmd/root_test.go
• cmd/service/service.go
• cmd/service/service_test.go
• errs/category.go
• errs/category_test.go
• errs/doc.go
• errs/internal_carrier.go
• errs/marshal_test.go
• errs/predicates.go
• errs/predicates_test.go
• errs/problem.go
• errs/problem_test.go
• errs/projection/mcp.go
• errs/projection/mcp_test.go
• errs/projection/oauth.go
• errs/projection/oauth_test.go
• errs/subtypes.go
• errs/subtypes_service_task.go
• errs/types.go
• errs/types_test.go
• errs/wrap.go
• errs/wrap_test.go
• go.mod
• internal/auth/errors.go
• internal/auth/transport.go
• internal/auth/transport_test.go
• internal/auth/uat_client.go
• internal/client/api_errors.go
• internal/client/api_errors_test.go
• internal/client/client.go
• internal/client/client_test.go
• internal/client/pagination.go
• internal/client/response.go
• internal/client/response_test.go
• internal/cmdutil/json.go
• internal/core/config.go
• internal/core/errors.go
• internal/core/notconfigured.go
• internal/errclass/classify.go
• internal/errclass/classify_test.go
• internal/errclass/codemeta.go
• internal/errclass/codemeta_task.go
• internal/errclass/codemeta_test.go
• internal/errcompat/promote.go
• internal/errcompat/promote_test.go
• internal/lintcheck/rules.go
• internal/lintcheck/rules_test.go
• internal/lintcheck/scan.go
• internal/lintcheck/scan_test.go
• internal/lintcheck/typecheck.go
• internal/lintcheck/typecheck_test.go
• internal/output/errors.go
• internal/output/exitcode.go
• internal/output/exitcode_test.go
• internal/output/lark_errors.go
• shortcuts/base/base_execute_test.go
• shortcuts/calendar/calendar_test.go
• shortcuts/common/drive_media_upload.go
• shortcuts/common/drive_media_upload_test.go
• shortcuts/common/mcp_client_test.go
• shortcuts/drive/drive_status_test.go
• shortcuts/mail/mail_shortcut_validation_test.go
• shortcuts/markdown/helpers.go
• shortcuts/markdown/markdown_diff_test.go
• shortcuts/task/task_body_test.go
• shortcuts/task/task_query_helpers_test.go
• shortcuts/task/task_upload_attachment_test.go
• shortcuts/task/task_util_test.go
• tests/cli_e2e/config/bind_test.go

💤 Files with no reviewable changes (1)

• cmd/error_auth_hint.go

✅ Files skipped from review due to trivial changes (3)

• errs/subtypes_service_task.go
• internal/core/errors.go
• shortcuts/base/base_execute_test.go

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

internal/auth/transport.go (1)

179-180: ⚡ Quick win

Add focused tests for the new policy-category branch and typed return path.

These new lines are currently uncovered; add cases that verify (1) non-policy codes are ignored, and (2) policy codes produce *errs.SecurityPolicyError with expected Problem fields and ChallengeURL.

Also applies to: 206-213

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/auth/transport.go` around lines 179 - 180, Add unit tests covering
the new branch in the error-to-transport translation that uses
errclass.LookupCodeMeta: write one test where LookupCodeMeta returns ok but
meta.Category != errs.CategoryPolicy and assert the code path ignores policy
handling (original error or non-policy behavior); and a second test where
LookupCodeMeta returns ok with meta.Category == errs.CategoryPolicy and the
function returns a *errs.SecurityPolicyError with the expected Problem fields
and ChallengeURL populated. Use the same function under test that calls
errclass.LookupCodeMeta (referenced in the diff) and assert types and field
values on the returned error to exercise the typed return path.

cmd/root.go (1)

230-233: ⚡ Quick win

Add focused tests for the newly added root-dispatch branches.

The new config-promotion path and asExitError nil-return path are currently uncovered, and both sit on the root error contract boundary. A small regression test here would materially reduce dispatch drift risk.

Also applies to: 292-297

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/root.go` around lines 230 - 233, Add focused unit tests for the new root
dispatch branches: write one test that simulates an error that satisfies
errors.As(..., *core.ConfigError) and verifies that root dispatch calls
errcompat.PromoteConfigError (and the resulting behavior/exit code) so the
config-promotion path is covered, and write another test where asExitError
returns nil to exercise the nil-return path on the root error contract boundary
and assert the dispatcher handles it as expected; target the code paths around
the root dispatch logic (the errors.As(core.ConfigError) branch, the call to
errcompat.PromoteConfigError, and the asExitError nil-return behavior) so these
two branches (mentioned in root.go) have explicit assertions.

internal/auth/uat_client.go (1)

228-244: ⚡ Quick win

Add focused tests for policy-code metadata mapping in refresh flow.

This new branch changes observable behavior (returns *errs.SecurityPolicyError with Subtype/ChallengeURL) but is currently uncovered. A dedicated unit test here would lock the contract and prevent regressions.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/auth/uat_client.go` around lines 228 - 244, Add a focused unit test
that exercises the refresh flow branch where errclass.LookupCodeMeta(code)
returns metaOK and meta.Category == errs.CategoryPolicy and verifies the
returned error is a *errs.SecurityPolicyError with Problem.Subtype set to the
meta.Subtype and ChallengeURL set from the "challenge_url" field; to do this,
arrange the test to inject an error response payload containing "challenge_url",
"cli_hint", and "error_description", stub or ensure
errclass.LookupCodeMeta(code) returns a meta with CategoryPolicy and a known
Subtype, invoke the refresh method in the UAT client (the code path that
contains the meta, metaOK := errclass.LookupCodeMeta(code) block), and assert
the error type and that Problem.Subtype, Problem.Code, Problem.Message,
Problem.Hint and ChallengeURL match the expected values to lock the contract and
prevent regressions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/service/service.go`:
- Line 520: The call to checkErr is using request.As which can mismatch the
computed identity; change checkErr to use the effective identity stored in
pagOpts.Identity (set by servicePaginate) instead of request.As so
classification/hints use the correct identity. Locate the calls to checkErr in
the servicePaginate flow (the one currently passing request.As around line with
servicePaginate and the other at the later call) and replace the request.As
argument with pagOpts.Identity (or the variable holding that value) so both
error checks use the initialized pagOpts.Identity.

In `@internal/lintcheck/scan_test.go`:
- Around line 291-299: The local variable rejectCount declared and incremented
inside the loop over v is never used and causes a compilation error; remove the
declaration "rejectCount := 0" and the increment "if vv.Action ==
lintcheck.ActionReject { rejectCount++ }" (or alternatively use rejectCount in
an assertion) so only used variables remain—look for the loop iterating over v
and the rejectCount symbol in scan_test.go and delete those two lines to fix the
test build.

---

Nitpick comments:
In `@cmd/root.go`:
- Around line 230-233: Add focused unit tests for the new root dispatch
branches: write one test that simulates an error that satisfies errors.As(...,
*core.ConfigError) and verifies that root dispatch calls
errcompat.PromoteConfigError (and the resulting behavior/exit code) so the
config-promotion path is covered, and write another test where asExitError
returns nil to exercise the nil-return path on the root error contract boundary
and assert the dispatcher handles it as expected; target the code paths around
the root dispatch logic (the errors.As(core.ConfigError) branch, the call to
errcompat.PromoteConfigError, and the asExitError nil-return behavior) so these
two branches (mentioned in root.go) have explicit assertions.

In `@internal/auth/transport.go`:
- Around line 179-180: Add unit tests covering the new branch in the
error-to-transport translation that uses errclass.LookupCodeMeta: write one test
where LookupCodeMeta returns ok but meta.Category != errs.CategoryPolicy and
assert the code path ignores policy handling (original error or non-policy
behavior); and a second test where LookupCodeMeta returns ok with meta.Category
== errs.CategoryPolicy and the function returns a *errs.SecurityPolicyError with
the expected Problem fields and ChallengeURL populated. Use the same function
under test that calls errclass.LookupCodeMeta (referenced in the diff) and
assert types and field values on the returned error to exercise the typed return
path.

In `@internal/auth/uat_client.go`:
- Around line 228-244: Add a focused unit test that exercises the refresh flow
branch where errclass.LookupCodeMeta(code) returns metaOK and meta.Category ==
errs.CategoryPolicy and verifies the returned error is a
*errs.SecurityPolicyError with Problem.Subtype set to the meta.Subtype and
ChallengeURL set from the "challenge_url" field; to do this, arrange the test to
inject an error response payload containing "challenge_url", "cli_hint", and
"error_description", stub or ensure errclass.LookupCodeMeta(code) returns a meta
with CategoryPolicy and a known Subtype, invoke the refresh method in the UAT
client (the code path that contains the meta, metaOK :=
errclass.LookupCodeMeta(code) block), and assert the error type and that
Problem.Subtype, Problem.Code, Problem.Message, Problem.Hint and ChallengeURL
match the expected values to lock the contract and prevent regressions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2cc6200f-1045-49c8-a66b-0f20f8c12625

📥 Commits

Reviewing files that changed from the base of the PR and between 661c2a3 and 4dd7ea7.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (81)

• .github/workflows/ci.yml
• .golangci.yml
• cmd/api/api.go
• cmd/api/api_test.go
• cmd/auth/scopes.go
• cmd/config/bind_test.go
• cmd/config/config_test.go
• cmd/error_auth_hint.go
• cmd/event/runtime.go
• cmd/lintcheck/main.go
• cmd/root.go
• cmd/root_integration_test.go
• cmd/root_test.go
• cmd/service/service.go
• cmd/service/service_test.go
• errs/category.go
• errs/category_test.go
• errs/doc.go
• errs/internal_carrier.go
• errs/marshal_test.go
• errs/predicates.go
• errs/predicates_test.go
• errs/problem.go
• errs/problem_test.go
• errs/projection/mcp.go
• errs/projection/mcp_test.go
• errs/projection/oauth.go
• errs/projection/oauth_test.go
• errs/subtypes.go
• errs/subtypes_service_task.go
• errs/types.go
• errs/types_test.go
• errs/wrap.go
• errs/wrap_test.go
• go.mod
• internal/auth/errors.go
• internal/auth/transport.go
• internal/auth/transport_test.go
• internal/auth/uat_client.go
• internal/client/api_errors.go
• internal/client/api_errors_test.go
• internal/client/client.go
• internal/client/client_test.go
• internal/client/pagination.go
• internal/client/response.go
• internal/client/response_test.go
• internal/cmdutil/json.go
• internal/core/config.go
• internal/core/errors.go
• internal/core/notconfigured.go
• internal/errclass/classify.go
• internal/errclass/classify_test.go
• internal/errclass/codemeta.go
• internal/errclass/codemeta_task.go
• internal/errclass/codemeta_test.go
• internal/errcompat/promote.go
• internal/errcompat/promote_test.go
• internal/lintcheck/rules.go
• internal/lintcheck/rules_test.go
• internal/lintcheck/scan.go
• internal/lintcheck/scan_test.go
• internal/lintcheck/typecheck.go
• internal/lintcheck/typecheck_test.go
• internal/output/errors.go
• internal/output/exitcode.go
• internal/output/exitcode_test.go
• internal/output/lark_errors.go
• shortcuts/base/base_execute_test.go
• shortcuts/calendar/calendar_test.go
• shortcuts/common/drive_media_upload.go
• shortcuts/common/drive_media_upload_test.go
• shortcuts/common/mcp_client_test.go
• shortcuts/drive/drive_status_test.go
• shortcuts/mail/mail_shortcut_validation_test.go
• shortcuts/markdown/helpers.go
• shortcuts/markdown/markdown_diff_test.go
• shortcuts/task/task_body_test.go
• shortcuts/task/task_query_helpers_test.go
• shortcuts/task/task_upload_attachment_test.go
• shortcuts/task/task_util_test.go
• tests/cli_e2e/config/bind_test.go

💤 Files with no reviewable changes (1)

• cmd/error_auth_hint.go

✅ Files skipped from review due to trivial changes (3)

• errs/doc.go
• errs/internal_carrier.go
• shortcuts/base/base_execute_test.go