Skip to content

feat: support env credential files#1863

Open
aihes wants to merge 2 commits into
larksuite:mainfrom
aihes:codex/env-token-file-provider
Open

feat: support env credential files#1863
aihes wants to merge 2 commits into
larksuite:mainfrom
aihes:codex/env-token-file-provider

Conversation

@aihes

@aihes aihes commented Jul 13, 2026

Copy link
Copy Markdown

Summary

Add file-backed credential inputs for the env credential provider so sandboxed agents can pass app IDs and short-lived access tokens via protected files instead of expanding token values into command-line arguments or shell environment setup scripts.

Changes

  • Add LARKSUITE_CLI_APP_ID_FILE, LARKSUITE_CLI_USER_ACCESS_TOKEN_FILE, and LARKSUITE_CLI_TENANT_ACCESS_TOKEN_FILE.
  • Teach the env credential provider to read exactly one credential value from an absolute file path, fail closed on env/file conflicts, empty files, multiline files, or oversized files, and report token sources without exposing raw values.
  • Add SafeEnvFilePath validation for environment-provided credential files.
  • Cover file-backed app ID, UAT, TAT, conflict, empty/multiline, relative-path, and path-validation cases with focused tests.

Test Plan

  • go test ./internal/vfs/localfileio ./internal/validate ./internal/envvars ./extension/credential/env
  • git diff --check
  • gofmt on changed Go files
  • Manual local verification confirms the lark-cli <domain> <command> flow works as expected with real file-backed credentials

Related Issues

  • None

Summary by CodeRabbit

  • New Features
    • Credentials can now be supplied through secure *_FILE environment variables, including application IDs and access tokens.
    • File-based credentials support absolute paths and canonical file resolution.
  • Bug Fixes
    • Clear errors are provided when both direct and file-based variables are set.
    • Invalid credential files are rejected when empty, multiline, oversized, inaccessible, relative, or pointing to directories.
  • Tests
    • Added coverage for file-based account and token resolution and path validation.

@aihes aihes requested a review from liangshuo-1 as a code owner July 13, 2026 09:26
@github-actions github-actions Bot added the size/M Single-domain feat or fix with limited business impact label Jul 13, 2026
@CLAassistant

CLAassistant commented Jul 13, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 92d99063-3d9e-4a24-8ac8-ffaf5855c841

📥 Commits

Reviewing files that changed from the base of the PR and between 73992f7 and 77a99be.

📒 Files selected for processing (2)
  • extension/credential/env/env.go
  • extension/credential/env/env_test.go
🚧 Files skipped from review as they are similar to previous changes (2)
  • extension/credential/env/env.go
  • extension/credential/env/env_test.go

📝 Walkthrough

Walkthrough

Credential providers now accept values from direct environment variables or validated *_FILE paths, with file-content validation, source reporting, conflict handling, and expanded tests.

Changes

Credential file support

Layer / File(s) Summary
Environment file path validation
internal/validate/path.go, internal/vfs/localfileio/path.go, internal/vfs/localfileio/path_test.go
Adds validation for absolute, canonical file paths and rejects control characters, relative paths, and directories.
Credential resolution from environment files
extension/credential/env/env.go, internal/envvars/envvars.go
Loads account and token credentials from environment variables or *_FILE values, rejects conflicts and invalid content, limits files to 64 KiB, and records the credential source.
Credential resolution coverage
extension/credential/env/env_test.go
Tests file-based account and token resolution, missing app IDs, env/file conflicts, source reporting, invalid content, and path failures.

Estimated code review effort: 3 (Moderate) | ~30 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Provider
  participant readCredentialValue
  participant SafeEnvFilePath
  participant vfs.ReadFile
  Provider->>readCredentialValue: Resolve credential
  readCredentialValue->>SafeEnvFilePath: Validate *_FILE path
  SafeEnvFilePath-->>readCredentialValue: Canonical path
  readCredentialValue->>vfs.ReadFile: Read file contents
  vfs.ReadFile-->>readCredentialValue: Credential value
  readCredentialValue-->>Provider: Value and source
Loading

Suggested reviewers: liangshuo-1

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 18.18% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately summarizes the main change: support for credential files in the env provider.
Description check ✅ Passed The description follows the required template and includes summary, changes, test plan, and related issues with sufficient detail.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details
putComment timed out

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
extension/credential/env/env.go (1)

52-54: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Missing _FILE variant in error message.

Unlike the sibling messages at Lines 45 and 47 which use tokenName(envvars.CliAppID, envvars.CliAppIDFile), this message only references envvars.CliAppID, omitting the file-based alternative. Since AppID can now come from either variable, the error should mention both.

🐛 Proposed fix
 	if appID == "" {
-		return nil, &credential.BlockError{Provider: "env", Reason: envvars.CliAppSecret + " is set but " + envvars.CliAppID + " is missing"}
+		return nil, &credential.BlockError{Provider: "env", Reason: envvars.CliAppSecret + " is set but " + tokenName(envvars.CliAppID, envvars.CliAppIDFile) + " is missing"}
 	}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@extension/credential/env/env.go` around lines 52 - 54, Update the
missing-AppID error in the env credential validation flow to use tokenName with
envvars.CliAppID and envvars.CliAppIDFile, matching the sibling errors and
mentioning both supported variable forms. Keep the existing provider and
missing-secret context unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@extension/credential/env/env_test.go`:
- Around line 396-403: Update the writeEnvFile test helper to create fixtures
with os.WriteFile instead of vfs.WriteFile, and replace the vfs import with the
standard library os import. Preserve the existing path construction, file
permissions, error handling, and returned path.

In `@extension/credential/env/env.go`:
- Around line 154-160: Update the file-backed credential loading flow around
vfs.ReadFile to stat the path first and reject files larger than
maxCredentialFileBytes before reading any contents. Preserve the existing
BlockError provider, reason context, and successful data handling, while
ensuring the size guard also covers files that would otherwise be fully loaded
or never reach EOF.

---

Outside diff comments:
In `@extension/credential/env/env.go`:
- Around line 52-54: Update the missing-AppID error in the env credential
validation flow to use tokenName with envvars.CliAppID and envvars.CliAppIDFile,
matching the sibling errors and mentioning both supported variable forms. Keep
the existing provider and missing-secret context unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e7b26749-fcc6-4a0a-8244-7f0dae7a18d6

📥 Commits

Reviewing files that changed from the base of the PR and between 1ab8530 and 73992f7.

📒 Files selected for processing (6)
  • extension/credential/env/env.go
  • extension/credential/env/env_test.go
  • internal/envvars/envvars.go
  • internal/validate/path.go
  • internal/vfs/localfileio/path.go
  • internal/vfs/localfileio/path_test.go

Comment thread extension/credential/env/env_test.go
Comment thread extension/credential/env/env.go Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/M Single-domain feat or fix with limited business impact

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants