fix: restrict user_mailbox shortcuts to user identity only

[guo00110211]

Summary

Six mail shortcuts (+triage, +messages, +thread, +message, +template-create, +template-update) incorrectly declared AuthTypes: ["user","bot"] but exclusively call user_mailbox.* APIs, which only support user identity (UAT). When bot identity was used — via --as bot or bot-only strict mode — the Lark server returned a misleading param is invalid error. This PR restricts AuthTypes to ["user"] so CheckIdentity rejects bot identity before any API call is made, producing a clear actionable error.

Changes

• shortcuts/mail/mail_triage.go: AuthTypes ["user","bot"] → ["user"]
• shortcuts/mail/mail_messages.go: same
• shortcuts/mail/mail_template_create.go: same
• shortcuts/mail/mail_thread.go: same
• shortcuts/mail/mail_template_update.go: same
• shortcuts/mail/mail_message.go: same
• shortcuts/mail/mail_auth_types_test.go: new unit test TestUserMailboxShortcutsRequireUserIdentity covering all six shortcuts

Test Plan

• make unit-test passed
• validate passed (build / vet / unit / integration all green)
• local-eval skipped: sandbox ccr-config.json not configured in test environment
• acceptance-reviewer passed (5/5 cases: bot rejection on all 6 commands, --as completion, dry-run interaction, user identity backward compat)
• manual verification: lark-cli mail +triage --as bot → Error: --as bot is not supported, this command only supports: user (exit 1, no API call made)

Related Issues

N/A

Summary by CodeRabbit

• Bug Fixes

  • Six mail shortcuts (message, messages, template-create, template-update, thread, triage) now require user authentication only; bot authentication is no longer supported.

• Tests

  • Added validation test for mail shortcut user identity requirements.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

guoyao.211 seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 37d61b9f-9cdd-4642-ba8e-40501610c260

📥 Commits

Reviewing files that changed from the base of the PR and between 4aceae9 and 7549ab6.

📒 Files selected for processing (7)

• shortcuts/mail/mail_auth_types_test.go
• shortcuts/mail/mail_message.go
• shortcuts/mail/mail_messages.go
• shortcuts/mail/mail_template_create.go
• shortcuts/mail/mail_template_update.go
• shortcuts/mail/mail_thread.go
• shortcuts/mail/mail_triage.go

---

📝 Walkthrough

Walkthrough

Six mail shortcuts (message, messages, template-create, template-update, thread, triage) are restricted from bot authentication to user-only. A new test validates that invocations with bot identity return an error message containing "not supported".

Changes

Mail shortcuts user-only authentication

Layer / File(s)	Summary
Auth type restrictions shortcuts/mail/mail_message.go, shortcuts/mail/mail_messages.go, shortcuts/mail/mail_template_create.go, shortcuts/mail/mail_template_update.go, shortcuts/mail/mail_thread.go, shortcuts/mail/mail_triage.go	Six mail shortcuts restrict AuthTypes from ["user", "bot"] to ["user"] only.
Auth type enforcement test shortcuts/mail/mail_auth_types_test.go	New test TestUserMailboxShortcutsRequireUserIdentity iterates over user-only shortcuts, executes each with bot identity flag, and verifies error messages contain "not supported".

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested labels

domain/mail, size/M

Suggested reviewers

• infeng
• zhouyue-bytedance

Poem

🐰 Six shortcuts now reject the bot's request,
User-only gates ensure security's best,
Tests verify the "not supported" call,
Authentication boundaries honored by all!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: restricting six user_mailbox shortcuts to user identity only, which aligns with the PR's core objective.
Description check	✅ Passed	The description includes all required sections: Summary explains the motivation, Changes lists all modifications, Test Plan documents verification steps, and Related Issues is addressed.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}