diff --git a/cmd/auth/login.go b/cmd/auth/login.go index b06fc343b..5f3a959e7 100644 --- a/cmd/auth/login.go +++ b/cmd/auth/login.go @@ -279,7 +279,13 @@ func authLoginRun(opts *LoginOptions) error { "verification_url": authResp.VerificationUriComplete, "device_code": authResp.DeviceCode, "expires_in": authResp.ExpiresIn, - "hint": fmt.Sprintf("**MUST generate QR code AND display it:** You MUST call lark-cli auth qrcode to convert verification_url into a QR code. This is a required step, do NOT skip it. Prefer PNG QR code (--output); use ASCII (--ascii) only when the user explicitly requests it.**CRITICAL: You MUST include the QR image in your response.** Generating the file alone is NOT enough—use image tags, inline images, or file attachments to display it.**Display order:** Output the URL first, then place the QR code image below the URL.**URL Output Rules:** Treat verification_url as an opaque string that cannot be modified. Do NOT URL-encode/decode or add spaces/punctuation. For agent harnesses that only deliver final turn messages, make the QR code image (or URL) the final message of the turn and return control to the user; do not block on --device-code in the same turn. After the user confirms authorization in a later step, run: lark-cli auth login --device-code %s", authResp.DeviceCode), + "hint": "**MUST generate QR code AND display it:** You MUST call lark-cli auth qrcode to convert verification_url into a QR code. This is a required step, do NOT skip it. Prefer PNG QR code (--output); use ASCII (--ascii) only when the user explicitly requests it." + + "**CRITICAL: You MUST include the QR image in your response.** Generating the file alone is NOT enough—use image tags, inline images, or file attachments to display it." + + "**Display order:** Output the URL first, then place the QR code image below the URL." + + "**URL Output Rules:** Treat verification_url as an opaque string that cannot be modified. Do NOT URL-encode/decode or add spaces/punctuation." + + "For agent harnesses that only deliver final turn messages, make the QR code image (or URL) the final message of the turn and return control to the user; do not block on --device-code in the same turn. **Before ending the turn, tell the user to come back and notify you after completing authorization.**" + + "**After the user confirms authorization:** YOU must execute `lark-cli auth login --device-code ` yourself." + + "**Do NOT cache verification_url or device_code for future use.** Always run `lark-cli auth login --no-wait --json` fresh when authorization is needed.", } encoder := json.NewEncoder(f.IOStreams.Out) encoder.SetEscapeHTML(false) diff --git a/cmd/auth/login_test.go b/cmd/auth/login_test.go index d0a73fe97..3409f297b 100644 --- a/cmd/auth/login_test.go +++ b/cmd/auth/login_test.go @@ -1042,8 +1042,11 @@ func TestAuthLoginRun_NoWaitJSONHintIncludesRawURLGuidance(t *testing.T) { "final message of the turn", "return control to the user", "do not block on --device-code in the same turn", - "After the user confirms authorization in a later step", - "lark-cli auth login --device-code device-code", + "come back and notify", + "YOU must execute", + "lark-cli auth login --device-code ", + "Do NOT cache", + "lark-cli auth login --no-wait --json", } { if !strings.Contains(hint, want) { t.Fatalf("hint missing %q, got:\n%s", want, hint) diff --git a/skills/lark-shared/SKILL.md b/skills/lark-shared/SKILL.md index 7fbfcdca4..494cabaed 100644 --- a/skills/lark-shared/SKILL.md +++ b/skills/lark-shared/SKILL.md @@ -81,6 +81,29 @@ lark-cli auth login --scope "calendar:calendar:readonly" --no-wait --json lark-cli auth login --device-code ``` +**Split-Flow 完整步骤**: + +**第一步:发起授权(当前轮)** + +1. 执行 `lark-cli auth login --scope "xxx" --no-wait --json`(必须加 `--no-wait --json`) +2. 从 JSON 输出中提取 `verification_url` 和 `device_code` +3. 生成二维码:`lark-cli auth qrcode --output "xxx"` +4. 将 URL 和二维码展示给用户(先 URL,后二维码) +5. **结束本轮对话前,必须明确告知用户**:"请完成授权后,回来告诉我已授权完成,我会帮你完成后续步骤" + +**第二步:完成授权(后续轮)** + +1. 等待用户回复"已完成授权" +2. **由你(AI agent)亲自执行**:`lark-cli auth login --device-code ` +3. 此命令会轮询授权状态并完成登录 +4. 如果返回授权成功,流程结束 + +**关键规则**: + +- **你必须亲自执行 `--device-code` 命令**,不要指示用户自行执行 +- **不要在同一轮中展示 URL 后立刻执行 `--device-code`**,这会导致用户看不到 URL +- **禁止缓存 `verification_url` 或 `device_code`**:每次需要授权时,必须重新执行 `lark-cli auth login --no-wait --json` 生成新的链接。不要将授权链接和 device code 存入上下文供后续复用 + ## 更新检查 lark-cli 命令执行后,如果检测到新版本,JSON 输出中会包含 `_notice.update` 字段(含 `message`、`command` 等)。