fix: restrict user_mailbox shortcuts to user identity only

[guo00110211]

Summary

Six mail shortcuts (+triage, +messages, +thread, +message, +template-create, +template-update) incorrectly declared AuthTypes: ["user","bot"] but exclusively call user_mailbox.* APIs, which only support user identity (UAT). When bot identity was used — via --as bot or bot-only strict mode — the Lark server returned a misleading param is invalid error. This PR restricts AuthTypes to ["user"] so CheckIdentity rejects bot identity before any API call is made, producing a clear actionable error.

Changes

• shortcuts/mail/mail_triage.go: AuthTypes ["user","bot"] → ["user"]
• shortcuts/mail/mail_messages.go: same
• shortcuts/mail/mail_template_create.go: same
• shortcuts/mail/mail_thread.go: same
• shortcuts/mail/mail_template_update.go: same
• shortcuts/mail/mail_message.go: same
• shortcuts/mail/mail_auth_types_test.go: new unit test TestUserMailboxShortcutsRequireUserIdentity covering all six shortcuts

Test Plan

• make unit-test passed
• validate passed (build / vet / unit / integration all green)
• local-eval skipped: sandbox ccr-config.json not configured in test environment
• acceptance-reviewer passed (5/5 cases: bot rejection on all 6 commands, --as completion, dry-run interaction, user identity backward compat)
• manual verification: lark-cli mail +triage --as bot → Error: --as bot is not supported, this command only supports: user (exit 1, no API call made)

Related Issues

N/A

Summary by CodeRabbit

• Bug Fixes

  • Six mail shortcuts (message, messages, template-create, template-update, thread, triage) now require user authentication only; bot authentication is no longer accepted.

• Tests

  • Added a test that verifies mail shortcuts reject bot identity and enforce user identity.

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4e9e5e40-c658-437b-9135-92eb3cfe910d

📥 Commits

Reviewing files that changed from the base of the PR and between 86e6bbd and c0c9434.

📒 Files selected for processing (7)

• shortcuts/mail/mail_auth_types_test.go
• shortcuts/mail/mail_message.go
• shortcuts/mail/mail_messages.go
• shortcuts/mail/mail_template_create.go
• shortcuts/mail/mail_template_update.go
• shortcuts/mail/mail_thread.go
• shortcuts/mail/mail_triage.go

✅ Files skipped from review due to trivial changes (1)

• shortcuts/mail/mail_triage.go

🚧 Files skipped from review as they are similar to previous changes (5)

• shortcuts/mail/mail_auth_types_test.go
• shortcuts/mail/mail_message.go
• shortcuts/mail/mail_thread.go
• shortcuts/mail/mail_template_update.go
• shortcuts/mail/mail_template_create.go

---

📝 Walkthrough

Walkthrough

Six mail shortcuts (message, messages, template-create, template-update, thread, triage) are restricted to user-only authentication. A new test runs each shortcut with --as bot and asserts execution fails with an error containing "not supported".

Changes

Mail shortcuts user-only authentication

Layer / File(s)	Summary
Auth type restrictions shortcuts/mail/mail_message.go, shortcuts/mail/mail_messages.go, shortcuts/mail/mail_template_create.go, shortcuts/mail/mail_template_update.go, shortcuts/mail/mail_thread.go, shortcuts/mail/mail_triage.go	Six mail shortcuts restrict AuthTypes from ["user", "bot"] to ["user"].
Auth type enforcement test shortcuts/mail/mail_auth_types_test.go	New test TestUserMailboxShortcutsRequireUserIdentity iterates over the user-only shortcuts, executes each with --as bot and required flags, and verifies the error message contains "not supported".

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• larksuite/cli#642: Modifies mail template shortcut AuthTypes (mail_template_create.go and mail_template_update.go).
• larksuite/cli#198: Related removal of "bot" from mail shortcut AuthTypes for other mail shortcuts.

Suggested reviewers

• chanthuang
• infeng
• haidaodashushu

Poem

🐰 A rabbit hops through code and test,
Says "user-only" is what we request,
Bots are kindly shown the gate,
Tests confirm the rejected state,
Cheers — the shortcuts pass the quest!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: restricting six user_mailbox-based mail shortcuts to user identity only instead of allowing bot identity.
Description check	✅ Passed	The description is comprehensive and complete, covering all required sections: summary of motivation, detailed list of changes, test plan with verification results, and related issues.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[guo00110211]

I have read the CLA Document and I hereby sign the CLA

[guo00110211]

_{Reviewed in CodeRabbit Review Stack}

[guo00110211]

_{Reviewed in CodeRabbit Review Stack}