refactor(apps): migrate errors to typed taxonomy

.golangci.yml

@@ -73,20 +73,20 @@ linters:
           - forbidigo
       # errs-typed-only enforced on paths already migrated to errs.NewXxxError.
       # Add a path when its migration is complete.
-      - path-except: (internal/auth/|internal/errcompat/|internal/errclass/|internal/client/|internal/cmdutil/factory\.go|cmd/auth/|cmd/config/|cmd/service/|shortcuts/common/mcp_client\.go|shortcuts/calendar/|shortcuts/drive/|shortcuts/mail/|shortcuts/base/)
+      - path-except: (internal/auth/|internal/errcompat/|internal/errclass/|internal/client/|internal/cmdutil/factory\.go|cmd/auth/|cmd/config/|cmd/service/|shortcuts/common/mcp_client\.go|shortcuts/calendar/|shortcuts/drive/|shortcuts/mail/|shortcuts/base/|shortcuts/apps/)
         text: errs-typed-only
         linters:
           - forbidigo
       # errs-no-bare-wrap enforced on paths fully migrated to typed final
       # errors. Scoped separately from errs-typed-only because cmd/auth/,
       # cmd/config/ still have residual fmt.Errorf and must not be caught.
-      - path-except: (shortcuts/drive/|shortcuts/mail/|shortcuts/base/|shortcuts/calendar/|shortcuts/common/mcp_client\.go)
+      - path-except: (shortcuts/drive/|shortcuts/mail/|shortcuts/base/|shortcuts/calendar/|shortcuts/apps/|shortcuts/common/mcp_client\.go)
         text: errs-no-bare-wrap
         linters:
           - forbidigo
       # errs-no-legacy-helper enforced on domains whose shared validation/save
       # helpers have migrated to typed final errors.
-      - path-except: (shortcuts/drive/|shortcuts/mail/|shortcuts/base/|shortcuts/calendar/)
+      - path-except: (shortcuts/drive/|shortcuts/mail/|shortcuts/base/|shortcuts/calendar/|shortcuts/apps/)
         text: errs-no-legacy-helper
         linters:
           - forbidigo

internal/errclass/codemeta_apps.go

@@ -0,0 +1,15 @@
+// Copyright (c) 2026 Lark Technologies Pte. Ltd.
+// SPDX-License-Identifier: MIT
+
+package errclass
+
+import "github.com/larksuite/cli/errs"
+
+// appsCodeMeta holds Miaoda apps-service Lark code -> CodeMeta mappings.
+// Only stable endpoint semantics are registered globally; endpoint-specific
+// recovery hints stay in shortcuts/apps.
+var appsCodeMeta = map[int]CodeMeta{
+	90002: {Category: errs.CategoryAPI, Subtype: errs.SubtypeNotFound}, // app_id unknown or caller lacks access
+}
+
+func init() { mergeCodeMeta(appsCodeMeta, "apps") }

lint/errscontract/rule_no_legacy_common_helper_call.go

@@ -15,6 +15,7 @@ import (
 // legacy validation/save helpers are forbidden; callers must use the typed
 // common replacements or construct an errs.* typed error directly.
 var migratedCommonHelperPaths = []string{
+	"shortcuts/apps/",
 	"shortcuts/base/",
 	"shortcuts/drive/",
 	"shortcuts/mail/",

lint/errscontract/rule_no_legacy_envelope_literal.go

@@ -16,6 +16,7 @@ import (
 // call sites must return a typed errs.* error instead. Future domains opt in by
 // appending their path prefix here.
 var migratedEnvelopePaths = []string{
+	"shortcuts/apps/",
 	"shortcuts/base/",
 	"shortcuts/drive/",
 	"shortcuts/mail/",

shortcuts/apps/apps_access_scope_get.go

@@ -9,7 +9,6 @@
 	"io"
 	"strings"
 
-	"github.com/larksuite/cli/internal/output"
 	"github.com/larksuite/cli/internal/validate"
 	"github.com/larksuite/cli/shortcuts/common"
 )
@@ -29,7 +28,7 @@
 	},
 	Validate: func(ctx context.Context, rctx *common.RuntimeContext) error {
 		if strings.TrimSpace(rctx.Str("app-id")) == "" {
-			return output.ErrValidation("--app-id is required")
+			return appsValidationParamError("--app-id", "--app-id is required")
 		}
 		return nil
 	},
@@ -42,7 +41,7 @@
 	Execute: func(ctx context.Context, rctx *common.RuntimeContext) error {
 		appID := strings.TrimSpace(rctx.Str("app-id"))
 		path := fmt.Sprintf("%s/apps/%s/access-scope", apiBasePath, validate.EncodePathSegment(appID))
-		data, err := rctx.CallAPI("GET", path, nil, nil)
+		data, err := rctx.CallAPITyped("GET", path, nil, nil)
 		if err != nil {
 			return err
 		}

shortcuts/apps/apps_access_scope_set.go

@@ -10,7 +10,6 @@
 	"io"
 	"strings"
 
-	"github.com/larksuite/cli/internal/output"
 	"github.com/larksuite/cli/internal/validate"
 	"github.com/larksuite/cli/shortcuts/common"
 )
@@ -40,7 +39,7 @@
 	},
 	Validate: func(ctx context.Context, rctx *common.RuntimeContext) error {
 		if strings.TrimSpace(rctx.Str("app-id")) == "" {
-			return output.ErrValidation("--app-id is required")
+			return appsValidationParamError("--app-id", "--app-id is required")
 		}
 		return validateAccessScopeFlags(rctx)
 	},
@@ -64,7 +63,7 @@
 		}
 		appID := strings.TrimSpace(rctx.Str("app-id"))
 		path := fmt.Sprintf("%s/apps/%s/access-scope", apiBasePath, validate.EncodePathSegment(appID))
-		data, err := rctx.CallAPI("PUT", path, nil, body)
+		data, err := rctx.CallAPITyped("PUT", path, nil, body)
 		if err != nil {
 			return err
 		}
@@ -85,55 +84,61 @@
 	switch scope {
 	case "specific":
 		if targets == "" {
-			return output.ErrValidation("--targets is required when --scope=specific")
+			return appsValidationParamError("--targets", "--targets is required when --scope=specific")
 		}
 		if err := validateTargetsJSON(targets); err != nil {
 			return err
 		}
 		if approver != "" && !applyEnabled {
-			return output.ErrValidation("--approver requires --apply-enabled")
+			return appsValidationParamError("--approver", "--approver requires --apply-enabled")
 		}
 		if requireLogin {
-			return output.ErrValidation("--require-login is not allowed when --scope=specific")
+			return appsValidationParamError("--require-login", "--require-login is not allowed when --scope=specific")
 		}
 	case "public":
 		if targets != "" {
-			return output.ErrValidation("--targets is not allowed when --scope=public")
+			return appsValidationParamError("--targets", "--targets is not allowed when --scope=public")
 		}
 		if applyEnabled {
-			return output.ErrValidation("--apply-enabled is not allowed when --scope=public")
+			return appsValidationParamError("--apply-enabled", "--apply-enabled is not allowed when --scope=public")
 		}
 		if approver != "" {
-			return output.ErrValidation("--approver is not allowed when --scope=public")
+			return appsValidationParamError("--approver", "--approver is not allowed when --scope=public")
 		}
 		if !rctx.Cmd.Flags().Changed("require-login") {
-			return output.ErrValidation("--require-login is required when --scope=public (pass true or false explicitly; do not rely on the default)")
+			return appsValidationParamError("--require-login", "--require-login is required when --scope=public (pass true or false explicitly; do not rely on the default)")
 		}
 	case "tenant":
 		if targets != "" || applyEnabled || approver != "" || requireLogin {
-			return output.ErrValidation("no extra flags allowed when --scope=tenant")
+			return appsValidationError("no extra flags allowed when --scope=tenant").
+				WithParams(
+					appsInvalidParam("--targets", "not allowed when --scope=tenant"),
+					appsInvalidParam("--apply-enabled", "not allowed when --scope=tenant"),
+					appsInvalidParam("--approver", "not allowed when --scope=tenant"),
+					appsInvalidParam("--require-login", "not allowed when --scope=tenant"),
+				)
 		}
 	default:
-		return output.ErrValidation("--scope must be specific / public / tenant")
+		return appsValidationParamError("--scope", "--scope must be specific / public / tenant")
 	}
 	return nil
 }
 
 func validateTargetsJSON(targetsJSON string) error {
 	var items []map[string]interface{}
 	if err := json.Unmarshal([]byte(targetsJSON), &items); err != nil {
-		return output.ErrValidation("--targets is not valid JSON: %v", err)
+		return appsValidationParamError("--targets", "--targets is not valid JSON: %v", err).WithCause(err)
 	}
 	if len(items) == 0 {
-		return output.ErrValidation("--targets must contain at least one entry; specific scope requires concrete user/department/chat ids")
+		return appsValidationParamError("--targets", "--targets must contain at least one entry; specific scope requires concrete user/department/chat ids")
 	}
 	for i, t := range items {
 		typ, _ := t["type"].(string)
 		if !allowedAccessTargetTypes[typ] {
-			return output.ErrValidation("--targets[%d].type %q must be one of: user / department / chat", i, typ)
+			return appsValidationParamError("--targets", "--targets[%d].type %q must be one of: user / department / chat", i, typ)
 		}
 		if id, _ := t["id"].(string); strings.TrimSpace(id) == "" {
-			return output.ErrValidation("--targets[%d].id is empty", i)
+			return appsValidationParamError("--targets", "--targets[%d].id is empty", i)
 		}
 	}
 	return nil
@@ -152,7 +157,7 @@
 	scope := rctx.Str("scope")
 	enum, ok := scopeStringToServerEnum[scope]
 	if !ok {
-		return nil, output.ErrValidation("--scope must be specific / public / tenant, got %q", scope)
+		return nil, appsValidationParamError("--scope", "--scope must be specific / public / tenant, got %q", scope)
 	}
 	body := map[string]interface{}{"scope": enum}
 
@@ -161,7 +166,7 @@
 		// 用户传统一格式 [{type:user|department|chat, id:...}]，body 里拆 3 个并列数组发后端。
 		var targets []map[string]interface{}
 		if err := json.Unmarshal([]byte(rctx.Str("targets")), &targets); err != nil {
-			return nil, output.ErrValidation("--targets is not valid JSON: %v", err)
+			return nil, appsValidationParamError("--targets", "--targets is not valid JSON: %v", err).WithCause(err)
 		}
 		users, departments, chats := splitAccessScopeTargets(targets)
 		if len(users) > 0 {

shortcuts/apps/apps_create.go

@@ -9,7 +9,6 @@
 	"io"
 	"strings"
 
-	"github.com/larksuite/cli/internal/output"
 	"github.com/larksuite/cli/shortcuts/common"
 )
 
@@ -30,14 +29,14 @@
 	},
 	Validate: func(ctx context.Context, rctx *common.RuntimeContext) error {
 		if strings.TrimSpace(rctx.Str("name")) == "" {
-			return output.ErrValidation("--name is required")
+			return appsValidationParamError("--name", "--name is required")
 		}
 		appType := strings.TrimSpace(rctx.Str("app-type"))
 		if appType == "" {
-			return output.ErrValidation("--app-type is required")
+			return appsValidationParamError("--app-type", "--app-type is required")
 		}
 		if !validAppTypes[appType] {
-			return output.ErrValidation(fmt.Sprintf("--app-type %q is not supported (allowed: HTML)", appType))
+			return appsValidationParamError("--app-type", "--app-type %q is not supported (allowed: HTML)", appType)
 		}
 		return nil
 	},
@@ -48,7 +47,7 @@
 			Body(buildAppsCreateBody(rctx))
 	},
 	Execute: func(ctx context.Context, rctx *common.RuntimeContext) error {
-		data, err := rctx.CallAPI("POST", apiBasePath+"/apps", nil, buildAppsCreateBody(rctx))
+		data, err := rctx.CallAPITyped("POST", apiBasePath+"/apps", nil, buildAppsCreateBody(rctx))
 		if err != nil {
 			return err
 		}

shortcuts/apps/apps_create_test.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/spf13/cobra"
 
+	"github.com/larksuite/cli/errs"
 	"github.com/larksuite/cli/internal/cmdutil"
 	"github.com/larksuite/cli/internal/core"
 	"github.com/larksuite/cli/internal/httpmock"
@@ -46,6 +47,31 @@ func runAppsShortcut(t *testing.T, sc common.Shortcut, args []string, factory *c
 	return parent.ExecuteContext(context.Background())
 }
 
+func requireAppsProblem(t *testing.T, err error, category errs.Category) *errs.Problem {
+	t.Helper()
+	if err == nil {
+		t.Fatalf("expected error")
+	}
+	p, ok := errs.ProblemOf(err)
+	if !ok {
+		t.Fatalf("expected typed problem, got %T: %v", err, err)
+	}
+	if p.Category != category {
+		t.Fatalf("error category = %q, want %q", p.Category, category)
+	}
+	return p
+}
+
+func requireAppsValidationProblem(t *testing.T, err error) *errs.Problem {
+	t.Helper()
+	return requireAppsProblem(t, err, errs.CategoryValidation)
+}
+
+func requireAppsAPIProblem(t *testing.T, err error) *errs.Problem {
+	t.Helper()
+	return requireAppsProblem(t, err, errs.CategoryAPI)
+}
+
 // +create 测试
 
 func TestAppsCreate_Success(t *testing.T) {

shortcuts/apps/apps_errors.go

@@ -0,0 +1,73 @@
+// Copyright (c) 2026 Lark Technologies Pte. Ltd.
+// SPDX-License-Identifier: MIT
+
+package apps
+
+import (
+	"errors"
+
+	"github.com/larksuite/cli/errs"
+	"github.com/larksuite/cli/extension/fileio"
+	"github.com/larksuite/cli/internal/client"
+)
+
+func appsValidationError(format string, args ...any) *errs.ValidationError {
+	return errs.NewValidationError(errs.SubtypeInvalidArgument, format, args...)
+}
+
+func appsValidationParamError(param, format string, args ...any) *errs.ValidationError {
+	return appsValidationError(format, args...).WithParam(param)
+}
+
+func appsInvalidParam(name, reason string) errs.InvalidParam {
+	return errs.InvalidParam{Name: name, Reason: reason}
+}
+
+func appsFailedPreconditionParamError(param, format string, args ...any) *errs.ValidationError {
+	return errs.NewValidationError(errs.SubtypeFailedPrecondition, format, args...).WithParam(param)
+}
+
+func appsInputPathError(err error) error {
+	if err == nil {
+		return nil
+	}
+	if errors.Is(err, fileio.ErrPathValidation) {
+		return appsValidationParamError("--path", "unsafe --path: %s", err).WithCause(err)
+	}
+	return appsValidationParamError("--path", "cannot read --path: %s", err).WithCause(err)
+}
+
+func appsInputPathEntryError(path string, err error) error {
+	if err == nil {
+		return nil
+	}
+	if errors.Is(err, fileio.ErrPathValidation) {
+		return appsValidationParamError("--path", "unsafe --path entry %s: %s", path, err).WithCause(err)
+	}
+	return appsValidationParamError("--path", "cannot read --path entry %s: %s", path, err).WithCause(err)
+}
+
+func appsFileIOError(err error, format string, args ...any) *errs.InternalError {
+	return errs.NewInternalError(errs.SubtypeFileIO, format, args...).WithCause(err)
+}
+
+func appsAPIBoundaryError(err error) error {
+	return client.WrapDoAPIError(err)
+}
+
+func enrichHTMLPublishAPIError(err error) error {
+	if err == nil {
+		return nil
+	}
+	p, ok := errs.ProblemOf(err)
+	if !ok {
+		return appsAPIBoundaryError(err)
+	}
+	if p.Message != "" {
+		p.Message = "html-publish failed: " + p.Message
+	}
+	if hint := buildHTMLPublishFailureHint(p.Code); hint != "" {
+		p.Hint = hint
+	}
+	return err
+}