feat(apps): design_html support, creative-design skill, unified TOS publish#1901
feat(apps): design_html support, creative-design skill, unified TOS publish#1901anngo-nk wants to merge 35 commits into
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughThis change updates app identifier handling, HTML publishing, app initialization, Git credential metadata, and shortcut request headers. It also adds the creative-design skill system, harness references, built-in design guidance, reusable UI frames, animation, deck, canvas, and tweaks components. ChangesMiaoda app workflows
Creative-design guidance
Estimated code review effort: 5 (Critical) | ~120 minutes Possibly related PRs
Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 10
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
shortcuts/apps/apps_init_test.go (1)
1765-1804: 📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick winMissing test for the "provided identity" path of
ensureGitIdentity.All three updated tests pass
("", "")for the newname/name/parseCredentialInitEnvelope'sCommitAuthorName/CommitAuthorEmail(see lines 113-125) — is actually written togit configwhen supplied. Since this is the actual behavior change the new parameters exist for, please add a test likeensureGitIdentity(ctx, "/repo", "Real Name", "real@example.com")assertinguser.name/user.emailare set to those values.Want me to draft this test case?
As per path instructions: "Every behavior change must have an adjacent test, and contract tests must assert the new field or behavior directly rather than relying only on happy-path substrings."
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@shortcuts/apps/apps_init_test.go` around lines 1765 - 1804, Add a test for the provided-identity path of ensureGitIdentity, passing a real name and email while git identity is unset, and assert that git config writes user.name and user.email with those exact supplied values rather than the defaults. Keep the existing default, existing-identity, and failure tests unchanged.Source: Path instructions
🧹 Nitpick comments (1)
skills/lark-apps/creative-design/starter-components/tweaks-panel.jsx (1)
178-248: 🔒 Security & Privacy | 🔵 Trivial | ⚖️ Poor tradeoffShared "miaoda" host-bridge postMessage protocol never specifies/validates an origin. Both starter components send with target origin
'*'and listen for'message'events without checkinge.origin, matching the ast-greppostmessage-permissive-origin(CWE-345) hint. Best practice is to always specify an exact target origin, not * and to only accept postMessages from known and trusted origins. The root cause is the same host-bridge pattern reused verbatim across both files, so fixing it once (e.g. a sharedgetHostOrigin()helper derived fromdocument.referrer/an injected host-origin constant, used for both thepostMessagetarget and anevent.originguard in each listener) addresses every site.
skills/lark-apps/creative-design/starter-components/tweaks-panel.jsx#L178-L248: pass the resolved host origin (not'*') to thepostMessagecalls at lines 187, 241, 247, 580, and add ane.origincheck in theonMsglistener (lines 235-239) before acting onactivate/deactivate.skills/lark-apps/creative-design/starter-components/design-canvas.jsx#L179-L186: pass the resolved host origin to thepostMessagecalls at lines 181, 447, 680, 693, and add ane.origincheck inonHostMsg(lines 669-684) before acting onset-zoom/probe.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/lark-apps/creative-design/starter-components/tweaks-panel.jsx` around lines 178 - 248, The shared host-bridge messaging uses permissive origins and lacks sender validation. In skills/lark-apps/creative-design/starter-components/tweaks-panel.jsx:178-248, add or reuse a resolved host-origin helper for the postMessage calls at lines 187, 241, 247, and 580, and require the onMsg listener to accept only events whose e.origin matches it before handling activate/deactivate. Apply the same origin resolution and validation in skills/lark-apps/creative-design/starter-components/design-canvas.jsx:179-186 for postMessage calls at lines 181, 447, 680, and 693, guarding onHostMsg before set-zoom/probe; replace '*' with the exact trusted origin throughout.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@shortcuts/apps/apps_html_publish_test.go`:
- Around line 267-268: Update the dry-run contract test around the existing
pre_release assertion to decode the dry-run output and explicitly verify the
pre-release request, TOS upload metadata including the {tos_path} body, and the
release_create endpoint and body. Replace the single substring-only check with
direct assertions for each required request field and preserve clear failure
messages.
In `@shortcuts/apps/apps_html_publish.go`:
- Around line 80-83: Update the dry-run registration in the apps publish flow so
every operation in the described sequence appears as an explicit call: retain
the GET pre_release entry and add placeholder PUT and POST entries for the TOS
upload and release-create steps. Keep the existing endpoint and payload metadata
aligned with the publish sequence so machine consumers can inspect the complete
plan.
In `@shortcuts/apps/apps_init.go`:
- Around line 344-356: Update ensureGitIdentity to return the established typed
validation error when authorName or authorEmail is missing after trimming,
without falling back to defaultGitUserName or defaultGitUserEmail. Ensure the
user.name and user.email writes performed by ensureGitConfigValue use
repository-local Git configuration via --local, rather than accepting unrelated
global values.
- Around line 81-88: Add a "design_html" entry to appTypePolicies using the same
skipInstall, skipEnvPull, skipSkillsSync, and skipAppSync settings as the
existing static HTML policies. Add a focused policy or scaffold test covering
design_html and verifying those initialization steps are skipped.
In `@shortcuts/apps/common.go`:
- Around line 47-50: The validation error message in the appID prefix check must
mention both accepted prefixes. Update the message returned by the appID
validation logic to state that --app-id may start with either "app_" or "cli_",
while leaving the existing validation condition and error handling unchanged.
In `@shortcuts/apps/git_credential.go`:
- Line 471: Update the AppID assignment in the surrounding credential
construction to remove the appID variable from the firstString lookup arguments,
leaving only valid source key names; preserve the existing fallback logic below
for missing app IDs.
In `@shortcuts/common/runner.go`:
- Around line 434-437: Remove the unconditional BOE header setup from
buildRequest, including the boeHeaders construction and larkcore.WithHeaders
append, so shortcut requests no longer target boe_aily_lark_cli. If testing
still requires it, gate the header behind an explicit non-production
configuration switch rather than applying it to every request.
In `@shortcuts/drive/drive_list_comments.go`:
- Around line 204-220: Update parseDriveListCommentsAppsURL to accept only
recognized Miaoda/Lark hosts and require exactly two path components matching
/page/<token>; reject foreign hosts and paths such as /page/token/extra before
returning the token. Add tests covering both rejection cases.
In `@skills/lark-apps/creative-design/starter-components/android-frame.jsx`:
- Line 132: Thread the device’s dark-mode state through the Android keyboard:
update AndroidDevice to pass dark when rendering AndroidKeyboard, and update
AndroidKeyboard to accept that prop and apply dark-aware Material colors
consistently. Preserve the existing light-mode behavior and keyboard rendering
when dark is not enabled.
In `@skills/lark-apps/creative-design/starter-components/deck-stage.js`:
- Line 588: Restrict cross-window messaging in deck-stage by replacing wildcard
targets in every window.parent.postMessage call with the configured trusted host
origin, and update _onMessage to ignore events whose e.origin does not match
that origin before processing commands or exposing state. Reuse the existing
host-origin configuration or symbol rather than introducing a separate trust
value.
---
Outside diff comments:
In `@shortcuts/apps/apps_init_test.go`:
- Around line 1765-1804: Add a test for the provided-identity path of
ensureGitIdentity, passing a real name and email while git identity is unset,
and assert that git config writes user.name and user.email with those exact
supplied values rather than the defaults. Keep the existing default,
existing-identity, and failure tests unchanged.
---
Nitpick comments:
In `@skills/lark-apps/creative-design/starter-components/tweaks-panel.jsx`:
- Around line 178-248: The shared host-bridge messaging uses permissive origins
and lacks sender validation. In
skills/lark-apps/creative-design/starter-components/tweaks-panel.jsx:178-248,
add or reuse a resolved host-origin helper for the postMessage calls at lines
187, 241, 247, and 580, and require the onMsg listener to accept only events
whose e.origin matches it before handling activate/deactivate. Apply the same
origin resolution and validation in
skills/lark-apps/creative-design/starter-components/design-canvas.jsx:179-186
for postMessage calls at lines 181, 447, 680, and 693, guarding onHostMsg before
set-zoom/probe; replace '*' with the exact trusted origin throughout.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: d0360041-236a-4194-90dd-792c9434fc60
⛔ Files ignored due to path filters (1)
skills/lark-apps/creative-design/agents/assets/vision-probe.pngis excluded by!**/*.png
📒 Files selected for processing (53)
shortcuts/apps/apps_get.goshortcuts/apps/apps_html_publish.goshortcuts/apps/apps_html_publish_test.goshortcuts/apps/apps_init.goshortcuts/apps/apps_init_test.goshortcuts/apps/apps_meta.goshortcuts/apps/apps_release_create.goshortcuts/apps/apps_release_get.goshortcuts/apps/common.goshortcuts/apps/git_credential.goshortcuts/apps/git_credential_test.goshortcuts/apps/gitcred/helper.goshortcuts/apps/gitcred/types.goshortcuts/common/runner.goshortcuts/drive/drive_list_comments.goshortcuts/drive/drive_list_comments_test.goskills/lark-apps/SKILL.mdskills/lark-apps/creative-design/SKILL.mdskills/lark-apps/creative-design/agents/fork-verifier-agent.mdskills/lark-apps/creative-design/agents/vision-probe-agent.mdskills/lark-apps/creative-design/built-in-skills/animated-video/SKILL.mdskills/lark-apps/creative-design/built-in-skills/charts/SKILL.mdskills/lark-apps/creative-design/built-in-skills/data-report/SKILL.mdskills/lark-apps/creative-design/built-in-skills/frontend-design/SKILL.mdskills/lark-apps/creative-design/built-in-skills/hi-fi-design/SKILL.mdskills/lark-apps/creative-design/built-in-skills/interactive-prototype/SKILL.mdskills/lark-apps/creative-design/built-in-skills/make-a-deck/SKILL.mdskills/lark-apps/creative-design/built-in-skills/visual-exposure/SKILL.mdskills/lark-apps/creative-design/built-in-skills/wireframe/SKILL.mdskills/lark-apps/creative-design/references/aily.mdskills/lark-apps/creative-design/references/claude.mdskills/lark-apps/creative-design/references/codex.mdskills/lark-apps/creative-design/starter-components/android-frame.jsxskills/lark-apps/creative-design/starter-components/animations.jsxskills/lark-apps/creative-design/starter-components/browser-window.jsxskills/lark-apps/creative-design/starter-components/deck-stage.jsskills/lark-apps/creative-design/starter-components/design-canvas.jsxskills/lark-apps/creative-design/starter-components/ios-frame.jsxskills/lark-apps/creative-design/starter-components/macos-window.jsxskills/lark-apps/creative-design/starter-components/tweaks-panel.jsxskills/lark-apps/creative-design/system-prompt.mdskills/lark-apps/references/lark-apps-create.mdskills/lark-apps/references/lark-apps-env-pull.mdskills/lark-apps/references/lark-apps-git-credential.mdskills/lark-apps/references/lark-apps-html-publish.mdskills/lark-apps/references/lark-apps-init.mdskills/lark-apps/references/lark-apps-list.mdskills/lark-apps/references/lark-apps-local-dev.mdskills/lark-apps/references/lark-apps-release-create.mdskills/lark-drive/SKILL.mdskills/lark-drive/references/lark-drive-list-comments.mdtests/cli_e2e/drive/coverage.mdtests/cli_e2e/drive/drive_list_comments_dryrun_test.go
6108c74 to
a07222a
Compare
🚀 PR Preview Install Guide🧰 CLI updatenpm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@b2f1ac5050ff01ba99288c9ab78ca868b8162613🧩 Skill updatenpx skills add larksuite/cli#feat/apps-design -y -g |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #1901 +/- ##
==========================================
+ Coverage 74.95% 75.00% +0.05%
==========================================
Files 892 893 +1
Lines 94056 94289 +233
==========================================
+ Hits 70502 70726 +224
- Misses 18140 18147 +7
- Partials 5414 5416 +2 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Actionable comments posted: 7
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
shortcuts/apps/git_credential.go (1)
89-102: 📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick winReplace loose map with a typed struct.
As per coding guidelines, avoid introducing new loose-map code. Modifying the existing
map[string]interface{}to conditionally add more fields continues a loose-map pattern. Instead, define a typed struct withomitemptyJSON tags to represent the payload.♻️ Proposed refactor
- payload := map[string]interface{}{ - "app_id": result.AppID, - "repository_url": result.GitHTTPURL, - "status": initStatus(result), - } - if result.CommitAuthorName != "" { - payload["commit_author_name"] = result.CommitAuthorName - } - if result.CommitAuthorEmail != "" { - payload["commit_author_email"] = result.CommitAuthorEmail - } - if result.ConfigWarning != "" { - payload["git_config_warning"] = result.ConfigWarning - } + type initPayload struct { + AppID string `json:"app_id"` + RepositoryURL string `json:"repository_url"` + Status string `json:"status"` + CommitAuthorName string `json:"commit_author_name,omitempty"` + CommitAuthorEmail string `json:"commit_author_email,omitempty"` + GitConfigWarning string `json:"git_config_warning,omitempty"` + } + payload := initPayload{ + AppID: result.AppID, + RepositoryURL: result.GitHTTPURL, + Status: initStatus(result), + CommitAuthorName: result.CommitAuthorName, + CommitAuthorEmail: result.CommitAuthorEmail, + GitConfigWarning: result.ConfigWarning, + }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@shortcuts/apps/git_credential.go` around lines 89 - 102, Replace the payload map in the git credential response flow with a dedicated typed struct representing app_id, repository_url, status, commit author name/email, and git config warning. Add JSON omitempty tags for optional fields, populate the struct from result, and preserve the existing conditional omission behavior during serialization.Source: Coding guidelines
♻️ Duplicate comments (1)
shortcuts/apps/git_credential.go (1)
471-471: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick winRemove the
appIDvalue from the list of lookup keys.The
appIDvariable holds the actual app ID value (e.g.,"cli_a123"), butfirstStringexpects a list of key names to search for in the map. PassingappIDhere causes the code to mistakenly look for a key named after the app's value.Since a correct fallback for a missing app ID is already implemented right below at lines 479-481, you can safely remove
appIDfrom thefirstStringarguments.🐛 Proposed fix
- AppID: firstString(source, "app_id", appID), + AppID: firstString(source, "app_id"),🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@shortcuts/apps/git_credential.go` at line 471, Update the AppID assignment in the surrounding credential construction to remove appID from the firstString lookup keys, leaving only valid source key names. Preserve the existing fallback logic below that handles a missing app ID.
🧹 Nitpick comments (2)
skills/lark-apps/creative-design/starter-components/deck-stage.js (1)
535-546: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick winNo reconnect guard — a second
connectedCallbackwould duplicate the shadow DOM.
_render()unconditionally appends a newstyle/rail/resize/stage/notes/menuset into the existing shadow root without clearing prior content. If the element is ever disconnected and reconnected (moved in the DOM, re-inserted by a host app), this produces two stacked<slot>s, ails, and menus — only the first default slot receives the assigned light-DOM children, so the second stage/rail render empty while listeners/observers double up.♻️ Guard `_render()` against re-invocation
connectedCallback() { ... - this._render(); + if (!this._built) { + this._built = true; + this._render(); + } this._loadNotes();Also applies to: 1016-1016
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/lark-apps/creative-design/starter-components/deck-stage.js` around lines 535 - 546, Guard the rendering lifecycle around _render() so reconnecting the custom element cannot append duplicate shadow-DOM structures. Add an idempotence check using an existing rendered-state marker or the shadow root’s expected children, and skip the append/setup work when already rendered while preserving the initial connectedCallback flow and existing listeners/observers.skills/lark-apps/creative-design/starter-components/design-canvas.jsx (1)
669-685: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winHost-bridge
messagelisteners don't verify the sender. Both starter components registerwindow.addEventListener('message', ...)handlers that act onmiaoda:*protocol messages without checkinge.origin/e.source, so any frame able to reach this window (not just the trusted host) can drive canvas zoom, toggle the Tweaks panel, etc. Root cause is the same missing sender check in both listeners.
skills/lark-apps/creative-design/starter-components/design-canvas.jsx#L669-L685: inonHostMsg, add a guard such asif (e.source !== window.parent) return;before acting onmiaoda:canvas:set-zoom/miaoda:canvas:probe.skills/lark-apps/creative-design/starter-components/tweaks-panel.jsx#L234-L243: inonMsg, add the samee.source !== window.parentguard before acting onmiaoda:tweaks:activate/miaoda:tweaks:deactivate.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/lark-apps/creative-design/starter-components/design-canvas.jsx` around lines 669 - 685, Validate the message sender before processing host-bridge commands. In skills/lark-apps/creative-design/starter-components/design-canvas.jsx lines 669-685, add an e.source !== window.parent guard at the start of onHostMsg; apply the same guard in skills/lark-apps/creative-design/starter-components/tweaks-panel.jsx lines 234-243 within onMsg, before handling the miaoda:tweaks:activate/deactivate messages.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@skills/lark-apps/creative-design/built-in-skills/frontend-design/SKILL.md`:
- Line 49: Update the CSS specificity guidance in the relevant example so it
contrasts genuinely different selector shapes, replacing the equal-specificity
`.section` versus `.cta` example with a combination such as `.section` and
`section.cta`; preserve the warning about unintended rule overrides.
In `@skills/lark-apps/creative-design/references/claude.md`:
- Around line 22-29: Update the use-design-system.md reference in the
AskUserQuestion section to point to an existing documentation file, or add the
missing document at the referenced location; preserve the intended design-system
guidance and ensure the link resolves correctly.
In `@skills/lark-apps/creative-design/starter-components/animations.jsx`:
- Around line 219-230: Update the ImageSprite component to accept an alt prop
with an empty-string default, then pass that value to the rendered image element
instead of always emitting alt="". Preserve the empty default so callers can
continue marking decorative images appropriately.
- Around line 335-338: Validate the duration option wherever it is initialized
or updated, including the defaults near the animation component and the
corresponding path around the later duration definition, and reject values that
are non-positive or non-finite. Ensure loop playback cannot reach the next %
duration calculation with an invalid duration, while preserving valid positive
finite durations.
In `@skills/lark-apps/creative-design/starter-components/browser-window.jsx`:
- Around line 1-3: Update the usage header comment in browser-window.jsx to
identify the actual starter-component filename instead of Chrome.jsx, ensuring
generated setup instructions reference the existing component file.
In `@skills/lark-apps/creative-design/starter-components/deck-stage.js`:
- Around line 113-115: Re-enable the speaker-notes dock by changing
NOTES_DISABLED in deck-stage.js so _notesVisible() can expose the editable notes
panel and preserve the documented postMessage contract in SKILL.md.
In `@skills/lark-apps/creative-design/starter-components/design-canvas.jsx`:
- Around line 176-221: Add a userEdited ref to the DesignCanvas initialization
and set it at the start of patchSection in the api memo. In the sidecar fetch
resolution, only hydrate state.sections from saved.sections when no local edit
has occurred; otherwise preserve the in-memory edits. Keep the existing
didRead/ready lifecycle and write suppression behavior intact.
---
Outside diff comments:
In `@shortcuts/apps/git_credential.go`:
- Around line 89-102: Replace the payload map in the git credential response
flow with a dedicated typed struct representing app_id, repository_url, status,
commit author name/email, and git config warning. Add JSON omitempty tags for
optional fields, populate the struct from result, and preserve the existing
conditional omission behavior during serialization.
---
Duplicate comments:
In `@shortcuts/apps/git_credential.go`:
- Line 471: Update the AppID assignment in the surrounding credential
construction to remove appID from the firstString lookup keys, leaving only
valid source key names. Preserve the existing fallback logic below that handles
a missing app ID.
---
Nitpick comments:
In `@skills/lark-apps/creative-design/starter-components/deck-stage.js`:
- Around line 535-546: Guard the rendering lifecycle around _render() so
reconnecting the custom element cannot append duplicate shadow-DOM structures.
Add an idempotence check using an existing rendered-state marker or the shadow
root’s expected children, and skip the append/setup work when already rendered
while preserving the initial connectedCallback flow and existing
listeners/observers.
In `@skills/lark-apps/creative-design/starter-components/design-canvas.jsx`:
- Around line 669-685: Validate the message sender before processing host-bridge
commands. In
skills/lark-apps/creative-design/starter-components/design-canvas.jsx lines
669-685, add an e.source !== window.parent guard at the start of onHostMsg;
apply the same guard in
skills/lark-apps/creative-design/starter-components/tweaks-panel.jsx lines
234-243 within onMsg, before handling the miaoda:tweaks:activate/deactivate
messages.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: d561b877-b456-482d-9a4c-8aadd44eadcd
⛔ Files ignored due to path filters (1)
skills/lark-apps/creative-design/agents/assets/vision-probe.pngis excluded by!**/*.png
📒 Files selected for processing (47)
shortcuts/apps/apps_get.goshortcuts/apps/apps_html_publish.goshortcuts/apps/apps_html_publish_test.goshortcuts/apps/apps_init.goshortcuts/apps/apps_init_test.goshortcuts/apps/apps_meta.goshortcuts/apps/apps_release_create.goshortcuts/apps/apps_release_get.goshortcuts/apps/common.goshortcuts/apps/git_credential.goshortcuts/apps/git_credential_test.goshortcuts/apps/gitcred/helper.goshortcuts/apps/gitcred/types.goshortcuts/common/runner.goskills/lark-apps/SKILL.mdskills/lark-apps/creative-design/SKILL.mdskills/lark-apps/creative-design/agents/fork-verifier-agent.mdskills/lark-apps/creative-design/agents/vision-probe-agent.mdskills/lark-apps/creative-design/built-in-skills/animated-video/SKILL.mdskills/lark-apps/creative-design/built-in-skills/charts/SKILL.mdskills/lark-apps/creative-design/built-in-skills/data-report/SKILL.mdskills/lark-apps/creative-design/built-in-skills/frontend-design/SKILL.mdskills/lark-apps/creative-design/built-in-skills/hi-fi-design/SKILL.mdskills/lark-apps/creative-design/built-in-skills/interactive-prototype/SKILL.mdskills/lark-apps/creative-design/built-in-skills/make-a-deck/SKILL.mdskills/lark-apps/creative-design/built-in-skills/visual-exposure/SKILL.mdskills/lark-apps/creative-design/built-in-skills/wireframe/SKILL.mdskills/lark-apps/creative-design/references/aily.mdskills/lark-apps/creative-design/references/claude.mdskills/lark-apps/creative-design/references/codex.mdskills/lark-apps/creative-design/starter-components/android-frame.jsxskills/lark-apps/creative-design/starter-components/animations.jsxskills/lark-apps/creative-design/starter-components/browser-window.jsxskills/lark-apps/creative-design/starter-components/deck-stage.jsskills/lark-apps/creative-design/starter-components/design-canvas.jsxskills/lark-apps/creative-design/starter-components/ios-frame.jsxskills/lark-apps/creative-design/starter-components/macos-window.jsxskills/lark-apps/creative-design/starter-components/tweaks-panel.jsxskills/lark-apps/creative-design/system-prompt.mdskills/lark-apps/references/lark-apps-create.mdskills/lark-apps/references/lark-apps-env-pull.mdskills/lark-apps/references/lark-apps-git-credential.mdskills/lark-apps/references/lark-apps-html-publish.mdskills/lark-apps/references/lark-apps-init.mdskills/lark-apps/references/lark-apps-list.mdskills/lark-apps/references/lark-apps-local-dev.mdskills/lark-apps/references/lark-apps-release-create.md
🚧 Files skipped from review as they are similar to previous changes (28)
- shortcuts/apps/apps_release_get.go
- skills/lark-apps/creative-design/built-in-skills/interactive-prototype/SKILL.md
- shortcuts/apps/git_credential_test.go
- shortcuts/apps/apps_release_create.go
- skills/lark-apps/creative-design/built-in-skills/wireframe/SKILL.md
- skills/lark-apps/references/lark-apps-list.md
- skills/lark-apps/references/lark-apps-init.md
- skills/lark-apps/references/lark-apps-release-create.md
- shortcuts/apps/apps_meta.go
- skills/lark-apps/creative-design/agents/fork-verifier-agent.md
- skills/lark-apps/creative-design/references/codex.md
- skills/lark-apps/references/lark-apps-git-credential.md
- shortcuts/apps/apps_html_publish_test.go
- skills/lark-apps/references/lark-apps-html-publish.md
- skills/lark-apps/creative-design/built-in-skills/charts/SKILL.md
- shortcuts/apps/apps_html_publish.go
- shortcuts/common/runner.go
- shortcuts/apps/apps_get.go
- skills/lark-apps/creative-design/starter-components/android-frame.jsx
- skills/lark-apps/creative-design/built-in-skills/hi-fi-design/SKILL.md
- shortcuts/apps/gitcred/types.go
- shortcuts/apps/apps_init_test.go
- shortcuts/apps/gitcred/helper.go
- skills/lark-apps/SKILL.md
- skills/lark-apps/creative-design/starter-components/macos-window.jsx
- shortcuts/apps/common.go
- skills/lark-apps/references/lark-apps-local-dev.md
- shortcuts/apps/apps_init.go
…entity - Add design_html to appTypePolicies (same as modern_html: skip install/env-pull/skills-sync) - Route +html-publish via policy (useTOSPublish) instead of hardcoded type check - Parse commit_author_name/commit_author_email from +git-credential-init response - Use server-provided author identity for repo-local git config, fallback to defaults - Support meta_token as identifier in +get command - Use envvars.AgentName() for source_agent in +create (reads LARKSUITE_CLI_AGENT_NAME) - Add creative HTML guide reference skeleton and SKILL.md routing entry - Update git-credential skill docs with new output fields
- Remove useTOSPublish policy field, html-publish always uses TOS upload - Add html type to appTypePolicies (skip install/env-pull/skills-sync) - Remove design_html from policies (not yet in use) - Fix git credential dry-run test for new local_effects entry
- Add creative-design skill under lark-apps/ (same level as references/) - Update SKILL.md description with creative design trigger keywords - Add creative design routing in development path selection table - Add --path relative path guidance in html-publish reference - Remove old creative-html-guide skeleton (replaced by creative-design)
Add skipAppSync policy field; html and modern_html skip npx app sync on non-empty repo path since static HTML sites don't need it.
- Merge static HTML and creative-design into one path selection row - Add creative-design intent routing entry before html-publish
- Add html端到端 flow in local-dev.md (create → init → dev → release-create) - Unify publish link source: html and full_stack both use +release-get - Update SKILL.md routing and publish护栏 accordingly
- DryRun shows actual 3-step TOS flow (pre_release → TOS PUT → release-create) - Skill docs: output is release_id, use +release-get to poll for online_url - Remove references to legacy multipart upload and data.url
- Pin miaoda-cli to 0.1.24-alpha.fb2cf0a (revert to @latest before merge) - Add x-tt-env=boe_aily_lark_cli header globally (remove before merge) - html app-type uses --template design-html instead of --app-type (remove before merge)
- Add creative mode (html) link format `https://{tenant}/page/{meta_token}` in publish护栏
- Note dev and publish URLs are the same for creative mode, unlike full_stack
- Add meta_token to app_id resolution with full link format in app_id获取
- Select dev path: html apps now default to local-dev pipeline instead of skipping local/cloud axis - Intent routing: creative-design publishes via local-dev flow instead of +html-publish - Remove +html-publish fallback from local-dev "when not to use" section
…tack Remove full_stack-only wording from init, create, list, env-pull, and release-create references since html apps now share the same local dev and release flow.
- Remove "HTML" as separate dev path; html and full_stack both go through local-dev - Intent routing: read local-dev before creative-design to establish git pipeline first - Mark +html-publish as legacy, redirect to local-dev for creative mode - Split html local-dev into 3 scenarios: first-time, iteration, pre-generated files - git add . instead of selective add to capture all creative-design output files
…ease-get online_url
…d guardrails All HTML apps now go through local-dev pipeline. +html-publish is deprecated.
…/cloud-dev pages html-publish is no longer the recommended path for HTML apps; all html and full_stack apps now follow the same local-dev + release-create flow.
- html-publish dry-run: register all 3 API calls (GET pre_release, PUT TOS, POST release-create) instead of hiding steps in metadata - validateRealAppID: remove cli_ prefix check (not a valid app_id prefix) - E2E: update git-credential dry-run to expect 4 local_effects - E2E: update html-publish dry-run to expect GET pre_release
… docs - Delete html_publish_client.go and html_publish_client_test.go (legacy multipart) - Remove runHTMLPublish, enrichHTMLPublishAPIError, buildHTMLPublishFailureHint - Migrate tests from runHTMLPublish to prepareHTMLPublishTarball (same coverage) - Remove cli_ prefix from validateRealAppID (not a valid app_id prefix) - Fix html-publish.md error wording to match actual message - Register all 3 TOS API calls in html-publish dry-run - Update E2E tests for new dry-run contract
…g, source boundary) Rebuild SKILL.md from our branch version, then merge in main's additions: - description: add HTML静态站点发布, 应用角色与成员管理, 应用角色/角色成员 - 身份与授权: use main's updated wording (no proactive re-login) - intent routing: add +role-* row, +init refs 平台资源与应用源码边界 - 能力边界 → 平台资源与应用源码边界 (7 rules from main) - 禁止预授权底线: add role ② and html-publish ③ clauses
8815867 to
153bb6d
Compare
fix:cherry-pick and resolve conflicts
…idance - Generalize git error recovery: any git operation failure triggers +git-credential-init refresh, with environment analysis on failure - Add resource file upload rule: use +file-upload instead of local paths, base64 inlining, or git commits; files are app-scoped
…ign skill Consolidate the thin SKILL.md wrapper and the full system-prompt.md methodology into a single file, eliminating an unnecessary indirection. Update references in claude.md and codex.md accordingly.
创意模式的可见范围权限走 lark-drive 文档权限体系,而非妙搭应用 权限体系,当前的 +access-scope-set/get 无法正确管理创意模式应用 的可见范围。待文档协作支持妙搭能力后,再通过 lark-drive 域能力 引导修改。 TODO: 等文档协作支持妙搭能力后,在 skill 中加入使用文档域权限 能力修改创意模式可见范围的引导。
`apps` 命令的 `--path`、`--file`、`--output` 只接受 cwd 下的相对路径,传绝对路径会报错。
- 意图路由表新增创意模式应用评论,引导走 lark-drive 文档评论体系 - app_id 获取章节补充裸 meta_token 识别:非链接非 app_ 开头时尝试用 +get 解析
Summary
design_htmlapp type support with init skip policy (same asmodern_html)creative-designskill underlark-apps/for UI mockup / prototype / deck / visual design workflows+html-publishto always use TOS upload path (remove legacy multipart)htmltype toappTypePolicies(skip install/env-pull/skills-sync/app-sync)commit_author_name/commit_author_emailfrom+git-credential-initfor repo-local git identitymeta_tokenas identifier in+get, addmeta_tokento pretty output+list-commentsapps support (temporary, for testing)TEMP changes (remove before merge)
miaoda-clipinned to0.1.24-alpha.fb2cf0a→ revert to@latestx-tt-env: boe_aily_lark_cliheader → removeTest plan
go test ./shortcuts/apps/ -count=1— all passgo test ./shortcuts/drive/ -run TestResolveDriveListCommentsInput— passmake build— clean buildSummary by CodeRabbit
New Features
Bug Fixes
Documentation