fix: fetch official skills from stable index

[zhangheng023]

Summary

lark-cli update discovered official skills by parsing unstable human-oriented npx skills add --list output. This PR switches official skills discovery to the stable JSON index while preserving existing update and fallback behavior.

Changes

• Fetch the official skills index over HTTPS in internal/selfupdate/updater.go with timeout, non-2xx handling, and a 2 MiB response limit.
• Parse skills[].name JSON index entries in internal/skillscheck/sync.go before falling back to legacy text parsers.
• Add strict official skill name validation in internal/skillscheck/sync.go and install-time validation in internal/selfupdate/updater.go.
• Update JSON index, invalid-name, HTTP fetch, and command fixture coverage in internal/skillscheck/sync_test.go, internal/selfupdate/updater_test.go, and cmd/update/update_test.go.

Test Plan

• make unit-test passed
• go vet ./... passed
• gofmt -l . produced no output
• go mod tidy did not change go.mod or go.sum
• go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.1.6 run --new-from-rev=origin/main passed
• validate passed
• skipped: local-eval E2E not required for lite mode because this does not change shortcuts, skills, or meta API behavior
• skipped: skillave not required because this does not change shortcut or skill documentation
• acceptance-reviewer passed (2/2 scenarios)
• manual verification: go test ./internal/skillscheck ./internal/selfupdate ./cmd/update
• security code review passed

Related Issues

N/A

Summary by CodeRabbit

• New Features

  • Official skills are now fetched via HTTP JSON index from a well-known endpoint instead of using npm-based listing.

• Bug Fixes

  • Enhanced validation for official skill names to prevent invalid characters.
  • Improved error handling for skills index fetching, including response validation and size limits.

• Tests

  • Expanded test coverage for HTTP-based skills index operations and error scenarios.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR refactors official skills discovery from npm-based listing to HTTP-based index fetching. Official skills are now fetched via a configurable well-known endpoint, validated by regex, and parsed from JSON format. Legacy text-based parsing remains as a fallback for global and available skills.

Changes

Official Skills HTTP Index, Validation, and Parsing

Layer / File(s)	Summary
HTTP-based official skills index fetch internal/selfupdate/updater.go, internal/selfupdate/updater_test.go, cmd/update/update_test.go	HTTP GET to /.well-known/skills/index.json with timeout, size limits, and status validation. OfficialSkillsIndexURL field configures the endpoint. fetchOfficialSkillsIndex reads and validates JSON response. Tests use httptest servers to verify fetch, error handling, and size limit enforcement.
Official skill name validation on install internal/selfupdate/updater.go, internal/selfupdate/updater_test.go, cmd/update/update_test.go	validateOfficialSkillNames rejects invalid skill names (including @) before running npm commands. Removes obsolete npm-based runSkillsListOfficial. Test stubs updated to represent incremental/full/fallback installs; "list official primary" verification removed. New test confirms invalid names are rejected before command execution.
Official skills JSON index parsing in skillscheck internal/skillscheck/sync.go, internal/skillscheck/sync_test.go	ParseSkillsList prefers JSON-based official index parsing, falling back to legacy text formats. parseOfficialSkillsIndex unmarshals JSON, validates names by regex, deduplicates, and returns sorted list. Fixture officialSkillsOutput changed to JSON format. Tests cover JSON parsing, invalid name filtering, and legacy compatibility.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• larksuite/cli#1042: The HTTP-based official skills index fetch and JSON parsing directly support the incremental "official skills sync" flow introduced in #1042 by providing the official skills source and format that the updated skillscheck/update logic depends on.

Suggested labels

size/L

Suggested reviewers

• MaxHuang22
• liangshuo-1

Poem

🐰 A well-known endpoint now guides the way,
Official skills index fetched fresh each day,
JSON parsed clean, names validated right,
HTTP brings order to skills insight! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: fetch official skills from stable index' clearly and concisely describes the main change: replacing unstable output parsing with fetching from a stable JSON index.
Description check	✅ Passed	The description includes all required template sections: Summary (concise motivation and scope), Changes (specific implementation details), Test Plan (comprehensive with completed checkmarks and results), and Related Issues.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/update-skills-index

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@93754a9b5afe8f43824eb9b0ecc71c094951a427

🧩 Skill update

npx skills add larksuite/cli#fix/update-skills-index -y -g

[codecov]

Codecov Report

❌ Patch coverage is 68.33333% with 19 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.13%. Comparing base (99e314f) to head (93754a9).

Files with missing lines	Patch %	Lines
internal/selfupdate/updater.go	61.53%	11 Missing and 4 partials ⚠️
internal/skillscheck/sync.go	80.95%	2 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1190      +/-   ##
==========================================
- Coverage   69.14%   69.13%   -0.01%     
==========================================
  Files         630      630              
  Lines       59304    59359      +55     
==========================================
+ Hits        41005    41040      +35     
- Misses      14988    15001      +13     
- Partials     3311     3318       +7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

🧹 Nitpick comments (1)

internal/selfupdate/updater.go (1)

30-30: ⚡ Quick win

Consider extracting the duplicated regex pattern to a shared package.

The officialSkillNamePattern regex is duplicated in internal/skillscheck/sync.go (line 19). Consider moving both patterns to a shared validation package or constants file to maintain a single source of truth.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/selfupdate/updater.go` at line 30, Extract the duplicated regex into
a single exported constant/variable in a shared validation package (e.g., create
Validation package with an exported OfficialSkillNamePattern or
OfficialSkillNameRegex), replace both internal.selfupdate.updater.go's
officialSkillNamePattern and internal.skillscheck.sync.go's local pattern with
references to that shared symbol, update imports in the files that used the
local pattern, and run/update any tests that reference the old symbol to ensure
no behavior change.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@internal/selfupdate/updater.go`:
- Line 30: Extract the duplicated regex into a single exported constant/variable
in a shared validation package (e.g., create Validation package with an exported
OfficialSkillNamePattern or OfficialSkillNameRegex), replace both
internal.selfupdate.updater.go's officialSkillNamePattern and
internal.skillscheck.sync.go's local pattern with references to that shared
symbol, update imports in the files that used the local pattern, and run/update
any tests that reference the old symbol to ensure no behavior change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a8de7961-6427-44c6-bdf4-d4a94d793a05

📥 Commits

Reviewing files that changed from the base of the PR and between 99e314f and 93754a9.

📒 Files selected for processing (5)

• cmd/update/update_test.go
• internal/selfupdate/updater.go
• internal/selfupdate/updater_test.go
• internal/skillscheck/sync.go
• internal/skillscheck/sync_test.go