docs: add lark-drive permission governance workflow

[jiangguozhou]

Summary

Add a registered permission_governance workflow for lark-drive so AI agents can audit and govern Drive / Docs / Wiki permission risks with explicit safety gates. The workflow keeps SKILL.md as a short router and moves runtime protocol, command examples, and user-facing output templates into references.

Changes

• Add the lark-drive workflow registry and shared runtime contract for registered workflows.
• Add the permission_governance workflow with scope parsing, read-only discovery, risk classification, write confirmation, and verification rules.
• Add separate command-pattern and output-template references for progressive loading and better user-facing diagnostics.
• Route permission governance requests from skills/lark-drive/SKILL.md into the registered workflow.

Test Plan

• git diff --cached --check passed
• make unit-test passed
• go vet ./... passed
• gofmt -l . produced no output
• go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.1.6 run --new-from-rev=origin/main passed
• Manual CLI surface validation:
  • lark-cli drive +inspect --help
  • lark-cli wiki +node-list --help
  • lark-cli drive +apply-permission --help
  • lark-cli drive +secure-label-update --help
  • lark-cli schema drive.metas.batch_query
  • lark-cli schema drive.permission.public.get
  • lark-cli schema drive.permission.public.patch

Related Issues

• None

Summary by CodeRabbit

• New Features

  • Added permission governance workflow to audit and manage document permissions, including sharing scope, external access, copy/download restrictions, and security classifications.

• Documentation

  • Added comprehensive workflow documentation with command examples and output templates for permission governance operations.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7b71623e-a481-4b80-8fdd-91e93f99b6ea

📥 Commits

Reviewing files that changed from the base of the PR and between 86bdd52 and 0873d47.

📒 Files selected for processing (5)

• skills/lark-drive/SKILL.md
• skills/lark-drive/references/lark-drive-workflow-permission-governance-commands.md
• skills/lark-drive/references/lark-drive-workflow-permission-governance-outputs.md
• skills/lark-drive/references/lark-drive-workflow-permission-governance.md
• skills/lark-drive/references/lark-drive-workflow.md

✅ Files skipped from review due to trivial changes (1)

• skills/lark-drive/references/lark-drive-workflow.md

🚧 Files skipped from review as they are similar to previous changes (2)

• skills/lark-drive/references/lark-drive-workflow-permission-governance-commands.md
• skills/lark-drive/SKILL.md

---

📝 Walkthrough

Walkthrough

Adds comprehensive lark-drive documentation for a new permission_governance workflow: a master workflow framework, the permission_governance specification with state machine and rules, a CLI command reference, detailed user-facing output templates, and SKILL.md routing to the workflow.

Changes

Permission Governance Workflow System

Layer / File(s)	Summary
Master workflow framework and execution protocol skills/lark-drive/references/lark-drive-workflow.md	Establishes the lark-drive workflow master framework: registry-based routing, execution skeleton (route→scope→read→assess/plan→confirm→execute→verify→done), artifact and entry contracts, Risk/Structure gates (R0–R3, S1–S3), loading/split boundaries, registry example including permission_governance, and unregistered-workflow handling rules.
Permission governance workflow specification skills/lark-drive/references/lark-drive-workflow-permission-governance.md	Defines permission_governance scope/non-targets, progressive load map, runtime state extensions, full execution state machine (Parse→Discovery→Read Facts→Assess→Plan→Confirm→Execute→Verify→Done), allowed command families, container discovery and fact-read rules, risk classification/evidence labeling, write/confirmation/dry-run/rollback rules, batch/failure handling, and output constraints.
Permission governance command reference skills/lark-drive/references/lark-drive-workflow-permission-governance-commands.md	Provides lark-cli command examples organized by workflow stage: target resolution (Wiki space URL handling), discovery (node-list, folder file lists), fact reading (drive metas, permission.public, file.statistics, view_records), pre-write checks (manage-public auth), execution examples (permission.public patch, apply-permission, secure-label-update) and parameter placeholders.
Permission governance output templates skills/lark-drive/references/lark-drive-workflow-permission-governance-outputs.md	Specifies complete user-visible output templates and field mappings: output strategy and expansion rules, permission/link/exposure mappings, stable risk_id and URL/token fallbacks, audit and container diagnostic templates, actionable risk list schema, governance selection interaction rules, permission settings and access review templates, dry-run plan schema, batch and per-operation confirmation templates, and final recap/validation requirements.
Skill routing integration skills/lark-drive/SKILL.md	Adds a quick-decision rule routing permission-related tasks (permission risk reports, tightening permissions, requesting view/edit rights, sharing/public scope, external access, copy/download, secure labels) to read lark-drive-workflow.md and enter the permission_governance workflow.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• larksuite/cli#863: Overlaps on public permission patch guidance and scope/error handling related to permission governance.
• larksuite/cli#414: Related updates to SKILL.md guidance for granting permissions to the current bot.

Suggested labels

domain/ccm, size/M

Suggested reviewers

• fangshuyu-768
• liujinkun2025

Poem

🐰 I hopped through docs with a careful pen,
Routing permissions from start to end.
Workflows, commands, templates in line,
Audit and govern — all neatly aligned.
A rabbit's cheer for governance, crisp and fine!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a permission governance workflow for lark-drive, which aligns with the core objective of the PR.
Description check	✅ Passed	The description follows the template structure with Summary, Changes, Test Plan, and Related Issues sections. All required sections are present and substantively filled with relevant information.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/lark-drive-permission-governance

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@skills/lark-drive/references/lark-drive-workflow-permission-governance-commands.md`:
- Around line 80-121: The doc currently shows +secure-label-update without first
listing available labels, which breaks the EXEC_CONFIRM contract; add a
secure-label enumeration example (using the command symbol +secure-label-list)
immediately before +secure-label-update in the "写前确认与执行" section so users can
discover label IDs to confirm, and ensure the example matches the flag style
used elsewhere (--token/--type/--label-id, --as user, --format json) to keep
consistency with permission.members auth and +secure-label-update entries.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fc2d23e3-1aaa-4e91-9927-5e9cf3e6b82f

📥 Commits

Reviewing files that changed from the base of the PR and between f3949f0 and 86bdd52.

📒 Files selected for processing (5)

• skills/lark-drive/SKILL.md
• skills/lark-drive/references/lark-drive-workflow-permission-governance-commands.md
• skills/lark-drive/references/lark-drive-workflow-permission-governance-outputs.md
• skills/lark-drive/references/lark-drive-workflow-permission-governance.md
• skills/lark-drive/references/lark-drive-workflow.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

补充 secure label 写前枚举命令，避免与上游流程契约脱节。

当前“写前确认与执行”里直接给了 +secure-label-update，但缺少 drive +secure-label-list 示例；这与上游工作流在 EXEC_CONFIRM 阶段先解析可用 label ID 的要求不一致，容易导致确认阶段缺失关键校验。

Proposed doc patch

 ## 写前确认与执行

 patch 前检查 manage-public permission：

 ```bash
 lark-cli drive permission.members auth \
   --params '{"token":"<token>","type":"<type>","action":"manage_public"}' \
   --as user --format json

+更新 secure label 前先枚举可用标签：
+
+```bash
+lark-cli drive +secure-label-list \

• --as user --format json
  +```

显式确认后 patch public permission：

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
@skills/lark-drive/references/lark-drive-workflow-permission-governance-commands.md
around lines 80 - 121, The doc currently shows +secure-label-update without
first listing available labels, which breaks the EXEC_CONFIRM contract; add a
secure-label enumeration example (using the command symbol +secure-label-list)
immediately before +secure-label-update in the "写前确认与执行" section so users can
discover label IDs to confirm, and ensure the example matches the flag style
used elsewhere (--token/--type/--label-id, --as user, --format json) to keep
consistency with permission.members auth and +secure-label-update entries.

</details>

<!-- fingerprinting:phantom:triton:hawk -->

<!-- This is an auto-generated comment by CodeRabbit -->

[github-actions]

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@0873d47f475895ff74468ec3e7e38b1ed04a7cf9

🧩 Skill update

npx skills add larksuite/cli#docs/lark-drive-permission-governance -y -g

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.33%. Comparing base (f3949f0) to head (0873d47).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1292   +/-   ##
=======================================
  Coverage   70.33%   70.33%           
=======================================
  Files         672      672           
  Lines       65322    65322           
=======================================
  Hits        45941    45941           
  Misses      15728    15728           
  Partials     3653     3653           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.