feat(auth): add auth qrcode subcommand and update auth docs/hints

[JackZhao10086]

Summary

Add lark-cli auth qrcode subcommand and update all auth login hints to require AI agents to generate QR codes for verification URLs, improving the user experience during OAuth device flow authorization.

Changes

• Add lark-cli auth qrcode <url> subcommand that generates QR codes in two formats: PNG (--output for file path) and ASCII (--ascii for terminal output)
• Update AgentTimeoutHint in both Chinese and English to require QR code generation with clear decision rules: prefer PNG, use ASCII only in pure terminal/CLI environments
• Add display order guidance: URL first, then QR code below it
• Expand "harness" to "harness or agent tool" in timeout hints to cover more agent scenarios
• Update --no-wait --json hint in login.go with QR code and display order guidance
• Update bind_messages.go MessageUserDefault with QR code requirements
• Update lark-shared/SKILL.md URL forwarding rules with QR code generation requirements
• Update auth login -h Long description to mention QR code support
• Update test cases to verify new hint content

Test Plan

• Unit tests pass (go test ./cmd/auth/...)
• lark-cli auth qrcode <url> --ascii outputs ASCII QR code to stdout
• lark-cli auth qrcode <url> --output /tmp/qrcode.png generates PNG file
• lark-cli auth qrcode without URL argument returns error
• lark-cli auth qrcode -h shows correct usage with positional <url> argument

Related Issues

• None

Summary by CodeRabbit

• New Features

  • Added an auth QR-code command to generate verification QR codes (PNG or ASCII) and integrated it into the auth command set.

• Documentation

  • Updated authentication guidance to require QR-code generation for verification URLs and to treat those URLs as opaque strings.

• User-facing messages

  • Clarified login prompts and JSON no-wait hints: instruct QR-code use, prefer PNG with ASCII fallback, specify display order (URL then QR), and outline agent polling/resume flow.

• Tests

  • Added and updated tests to cover QR-code command parsing, generation (PNG/ASCII), validation, and revised hint wording.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds auth qrcode CLI command (PNG or ASCII), exposes it under auth, updates login help and localized/no-wait JSON hints (EN/CN) to require QR-code generation and specific display ordering, updates tests to match, and revises skill docs to require QR generation for verification URLs.

Changes

Auth QR Code Generation Feature

Layer / File(s)	Summary
QR Code Command Implementation cmd/auth/qrcode.go	Adds QRCodeOptions and NewCmdAuthQRCode with flags and validation; implements runQRCode to choose ASCII or PNG generation; encodes PNG via go-qrcode (medium EC) and writes PNG or prints ASCII; maps validation and internal errors to exit codes.
Auth Command Wiring cmd/auth/auth.go	Registers NewCmdAuthQRCode(f, nil) in the auth command group so the subcommand is exposed.
Login Messages and User Guidance cmd/auth/login.go, cmd/auth/login_messages.go	Extends auth login help and --no-wait JSON hint/localized AgentTimeoutHint (EN/CN) to instruct using lark-cli auth qrcode, prefer PNG with ASCII fallback, require URL-first then QR-below display order, and treat verification URLs as opaque raw strings; adds small doc comments for helpers.
Tests for QR Command and Hints cmd/auth/qrcode_test.go, cmd/auth/login_test.go, cmd/auth/auth_test.go	Adds comprehensive tests for auth qrcode flag parsing, validation, PNG/ASCII output, generator errors, and updates login/help tests to assert revised hint/agent_hint contents (QR guidance and opaque-URL rules).
Skill Documentation skills/lark-shared/SKILL.md	Rewrites "URL 转发规则" to require generating/displaying a QR code via lark-cli auth qrcode for verification/console URLs while preserving the opaque-URL constraint and recommending the raw URL in a standalone code block.

Sequence Diagram(s)

sequenceDiagram
  participant User as "User/Agent"
  participant CLI as "lark-cli auth qrcode"
  participant Runner as "runQRCode"
  participant Encoder as "go-qrcode / qrcode.New"
  participant Storage as "vfs.WriteFile / stdout"

  User->>CLI: invoke with URL, --output/--ascii, --size
  CLI->>Runner: populate QRCodeOptions and execute
  Runner->>Encoder: encode URL to PNG or ASCII
  Encoder->>Storage: write PNG to file or print ASCII to stdout

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• larksuite/cli#950: Reverts/removes QR-code output and related message strings; directly conflicts with QR guidance changes.
• larksuite/cli#856: Overlaps on auth device-flow hint/message updates for verification_url handling.
• larksuite/cli#933: Overlaps on auth login device-flow guidance and hint/help-string changes.

Suggested reviewers

• liangshuo-1
• albertnusouo
• XingjianSun

Poem

🐰 I nibbled code and drew a square,
A tiny maze that lights with care.
PNG gleams or ASCII beams,
Scan the square to finish dreams.
A bunny hops you through the streams.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 39.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main changes: adding an auth qrcode subcommand and updating authentication documentation and hints.
Description check	✅ Passed	The description covers all required template sections: summary explains the motivation, changes are clearly listed, test plan is detailed with checkmarks, and related issues are noted.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/auth_qrcode

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/auth/qrcode.go`:
- Around line 85-87: Replace the direct os.WriteFile call with the repository
filesystem abstraction and validate the CLI-provided path first: call
validate.SafeInputPath(outputPath) (returning the appropriate output.Errorf on
failure) and then use vfs.WriteFile(ctxOrFS, outputPath, png, 0644) (or the
package's equivalent vfs.WriteFileFileSystem method) instead of os.WriteFile;
keep the same error handling that returns output.Errorf(output.ExitInternal,
"write_error", fmt.Sprintf("failed to write QR code to %s: %v", outputPath,
err)) when the vfs write fails.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 784fa3d7-b7db-4469-93ee-43a714434e0f

📥 Commits

Reviewing files that changed from the base of the PR and between 7c54f9b and e92aaa8.

📒 Files selected for processing (6)

• cmd/auth/auth.go
• cmd/auth/login.go
• cmd/auth/login_messages.go
• cmd/auth/login_test.go
• cmd/auth/qrcode.go
• skills/lark-shared/SKILL.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Replace direct os.WriteFile with repo-safe filesystem/path handling.

This write path uses a user-supplied CLI argument directly with os.WriteFile, which bypasses the repository’s filesystem abstraction and path-safety expectations.

Proposed fix

 import (
 	"context"
 	"fmt"
-	"os"

 	"github.com/skip2/go-qrcode"
 	"github.com/spf13/cobra"

 	"github.com/larksuite/cli/internal/cmdutil"
 	"github.com/larksuite/cli/internal/output"
+	"github.com/larksuite/cli/internal/vfs"
 )
@@
-	err = os.WriteFile(outputPath, png, 0644)
+	// Validate outputPath with the repo-standard path validator for untrusted CLI paths.
+	err = vfs.WriteFile(outputPath, png, 0644)
 	if err != nil {
 		return output.Errorf(output.ExitInternal, "write_error", fmt.Sprintf("failed to write QR code to %s: %v", outputPath, err))
 	}

As per coding guidelines: "**/*.go: Use vfs.* instead of os.* for all filesystem access to enable test mocking" and "Validate paths before reading with validate.SafeInputPath because CLI arguments are untrusted."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/auth/qrcode.go` around lines 85 - 87, Replace the direct os.WriteFile
call with the repository filesystem abstraction and validate the CLI-provided
path first: call validate.SafeInputPath(outputPath) (returning the appropriate
output.Errorf on failure) and then use vfs.WriteFile(ctxOrFS, outputPath, png,
0644) (or the package's equivalent vfs.WriteFileFileSystem method) instead of
os.WriteFile; keep the same error handling that returns
output.Errorf(output.ExitInternal, "write_error", fmt.Sprintf("failed to write
QR code to %s: %v", outputPath, err)) when the vfs write fails.

[github-actions]

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@6d6733a11330f963d417e64a790119f3faca9241

🧩 Skill update

npx skills add larksuite/cli#feat/auth_qrcode -y -g

[codecov]

Codecov Report

❌ Patch coverage is 96.00000% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.42%. Comparing base (13411d9) to head (6d6733a).

Files with missing lines	Patch %	Lines
cmd/auth/qrcode.go	95.45%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #968      +/-   ##
==========================================
+ Coverage   67.39%   67.42%   +0.02%     
==========================================
  Files         572      573       +1     
  Lines       53659    53705      +46     
==========================================
+ Hits        36165    36209      +44     
- Misses      14486    14487       +1     
- Partials     3008     3009       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.