feat(drive): add +public-permission-update shortcut

[zhaojiaxing-coding]

Add drive +public-permission-update for high-risk Drive public permission updates. The shortcut keeps request bodies flat, validates target and field combinations before API calls, and documents safer agent usage for public access changes.

Key features:

• Add URL and bare-token target handling for Drive public permission updates

• Validate single-page and external/link-share field combinations with typed errors

• Cover shortcut behavior with unit tests and dry-run E2E coverage

• Document shortcut-first skill guidance with safe default examples

Summary

Changes

• Change 1
• Change 2

Test Plan

• Unit tests pass
• Manual local verification confirms the lark-cli <domain> <command> flow works as expected

Related Issues

• None

Summary by CodeRabbit

• New Features

  • Added drive +public-permission-update shortcut to update Drive public permission settings (supports token or URL targets).
  • Includes --dry-run previews, and requires confirmation for high-risk writes; supports --perm-type.

• Bug Fixes

  • Strengthened input validation for required --type, supported --perm-type single_page field combinations, and compatibility rules between link-sharing and external-access entities.

• Documentation

  • Added dedicated reference and updated skill guidance with usage examples and common error handling.

• Tests

  • Added unit and CLI e2e coverage for target resolution, dry-run request shapes, and validation failures.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new drive shortcut for updating public permissions, with token/type resolution, permission-field validation, shortcut registration, tests, and drive guidance updates.

Changes

Drive public permission update

Layer / File(s)	Summary
Shortcut definition and body builder shortcuts/drive/drive_public_permission.go	Adds the new public-permission shortcut, supported target and permission constants, and PATCH body construction for the request payload.
Target resolution and validation shortcuts/drive/drive_public_permission.go	Resolves bare tokens or supported URLs to a token/type pair, parses URL paths, and validates permission-field combinations including single_page and external/link-share constraints.
Registry and unit coverage shortcuts/drive/shortcuts.go, shortcuts/drive/shortcuts_test.go, shortcuts/drive/drive_public_permission_test.go	Registers the new shortcut and adds unit tests for target resolution, validation failures, high-risk confirmation, and successful request capture.
Docs and e2e dry-run checks skills/lark-drive/SKILL.md, skills/lark-drive/references/lark-drive-public-permission-update.md, tests/cli_e2e/drive/drive_public_permission_dryrun_test.go	Updates the drive guidance and reference doc, and adds CLI e2e coverage for dry-run request shape and structured validation errors.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Suggested labels

size/L, domain/ccm

Suggested reviewers

• caojie0621
• fangshuyu-768

Poem

A rabbit found a public door,
Checked token, type, and then checked more.
With dry-run first and --yes in sight,
The drive permissions hopped just right.
🐰✨

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 12.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	⚠️ Warning	The PR description matches the template but leaves the Summary and Changes sections as placeholders, so the required details are missing.	Fill in the Summary with 1-3 sentences, replace the placeholder Change 1/2 items with the actual changes, and briefly describe the test plan.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title is concise and accurately summarizes the main change: adding the +public-permission-update drive shortcut.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/open_rest_create_permission_member_support_single_page

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[codecov]

Codecov Report

❌ Patch coverage is 84.05797% with 22 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.76%. Comparing base (7346de3) to head (6fbd0d0).
⚠️ Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
shortcuts/drive/drive_public_permission.go	83.94%	13 Missing and 9 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1593      +/-   ##
==========================================
+ Coverage   74.72%   74.76%   +0.04%     
==========================================
  Files         799      800       +1     
  Lines       80274    80518     +244     
==========================================
+ Hits        59983    60200     +217     
- Misses      15846    15862      +16     
- Partials     4445     4456      +11     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

PR Quality Summary

CI did not complete successfully. Use the failed check links below to decide whether this PR needs a code change or a rerun.

Failed checks

• e2e-live — failure — details
• results — failure — details

[github-actions]

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@6fbd0d08e3565a7e464d9f616d1e82b82b2161a7

🧩 Skill update

npx skills add larksuite/cli#feat/open_rest_create_permission_member_support_single_page -y -g

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@shortcuts/drive/drive_public_permission_test.go`:
- Around line 258-260: The confirmation-error check in the drive permission test
is only matching the error string, so it should be updated to assert the typed
error contract instead. In the test around the err check, use
errs.ProblemOf(err) and/or errors.As to verify the error is a
*errs.ConfirmationRequiredError, and assert the expected metadata fields
(category, subtype, param) and cause preservation rather than relying on the
"requires confirmation" message substring.

In `@shortcuts/drive/drive_public_permission.go`:
- Around line 149-160: The URL parsing flow in drive_public_permission.go is
accepting any host as long as the path matches, which can misclassify
unsupported domains as valid document targets. In the URL handling branch that
uses url.Parse and parseDrivePublicPermissionURLPath, add host validation for
the public-permission shortcut so only https URLs with supported Feishu/Lark
host suffixes are accepted; otherwise return a validation error and require
unknown hosts to be provided as bare tokens with --type.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ae913c35-6bc1-4046-a208-bfce76270e7c

📥 Commits

Reviewing files that changed from the base of the PR and between 40a09c8 and e5a0c25.

📒 Files selected for processing (7)

• shortcuts/drive/drive_public_permission.go
• shortcuts/drive/drive_public_permission_test.go
• shortcuts/drive/shortcuts.go
• shortcuts/drive/shortcuts_test.go
• skills/lark-drive/SKILL.md
• skills/lark-drive/references/lark-drive-public-permission-update.md
• tests/cli_e2e/drive/drive_public_permission_dryrun_test.go

[coderabbitai]

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Assert the typed confirmation error, not just the message.

This would pass if the high-risk path regressed to an untyped string error. Use errs.ProblemOf(err) and/or errors.As for *errs.ConfirmationRequiredError so the test locks the metadata contract. As per coding guidelines, “Error-path tests must assert typed metadata via errs.ProblemOf (category / subtype / param) and cause preservation, not message substrings alone.”

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@shortcuts/drive/drive_public_permission_test.go` around lines 258 - 260, The
confirmation-error check in the drive permission test is only matching the error
string, so it should be updated to assert the typed error contract instead. In
the test around the err check, use errs.ProblemOf(err) and/or errors.As to
verify the error is a *errs.ConfirmationRequiredError, and assert the expected
metadata fields (category, subtype, param) and cause preservation rather than
relying on the "requires confirmation" message substring.

Source: Coding guidelines

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift

Reject unsupported URL hosts before inferring a high-risk target.

This currently accepts any URL with a supported path shape, so https://not-lark.example/docx/<valid-token> is treated as a Lark document URL and can drive a public-permission update. For this high-risk shortcut, validate https plus supported Feishu/Lark host suffixes, or require unknown hosts to be passed as bare tokens with --type.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@shortcuts/drive/drive_public_permission.go` around lines 149 - 160, The URL
parsing flow in drive_public_permission.go is accepting any host as long as the
path matches, which can misclassify unsupported domains as valid document
targets. In the URL handling branch that uses url.Parse and
parseDrivePublicPermissionURLPath, add host validation for the public-permission
shortcut so only https URLs with supported Feishu/Lark host suffixes are
accepted; otherwise return a validation error and require unknown hosts to be
provided as bare tokens with --type.