feat: wrap no-wait verification url as markdown autolink

[liangshuo-1]

Summary

auth login --no-wait --json returns a verification_url for an AI agent to relay to the end user. URLs from the OAuth device-flow endpoint contain underscores in query parameters (e.g., state, flow_id, user_code); when the agent embeds the URL in a markdown reply, underscores are parsed as italic markers and the URL gets truncated by the renderer, breaking the OAuth flow.

This PR wraps the URL in angle brackets (<...>) so it is recognized as a markdown autolink. Renderers leave inner content unparsed, the URL stays clickable, and the user still sees the full URL for OAuth review (vs hiding it behind [link](url) link text).

Changes

• cmd/auth/login.go: in the --no-wait JSON branch, wrap verification_url value as <URL> and update the hint field to instruct agents to display the value verbatim
• cmd/auth/login_test.go: 4 new tests covering the JSON contract — --no-wait wraps as autolink, hint instructs verbatim display, interactive --json keeps raw URL, plain-text stderr keeps bare URL

The change is scoped to --no-wait. Interactive --json output and plain-text stderr remain unchanged: those paths target programs and human terminal users where bare URLs are appropriate.

Test Plan

• make unit-test passed (all packages green; including 4 new cmd/auth/ cases and the existing TestAuthLoginRun_* regression set)
• go vet ./... passed (no make validate target in Makefile; vet is the closest equivalent)
• skipped: local-eval — change is JSON-contract only, fully covered by unit tests; no shortcut/skill behavior touched
• skipped: acceptance-reviewer — manual verification below covers the agent-rendering path end-to-end
• manual verification: ran ./lark-cli auth login --no-wait --json --scope "im:message:send" against the real Feishu device-authorization endpoint; confirmed verification_url is <https://accounts.feishu.cn/oauth/v1/device/verify?flow_id=...&user_code=...> and the hint reads "Show verification_url to the user verbatim — it is wrapped in <> as a markdown autolink ..."

Related Issues

N/A

Summary by CodeRabbit

• Bug Fixes

  • JSON output for the login command in no-wait mode now emits the verification URL as a markdown autolink.
  • Updated on-screen instructions to tell users to present the verification URL verbatim (including backticks/markdown) and avoid altering it.

• Tests

  • Added tests covering URL formatting and companion-field behavior across interactive, no-wait, JSON, and plain-text modes.

[coderabbitai]

📝 Walkthrough

Walkthrough

When --no-wait --json is used, the auth login command now emits the verification URL as a markdown-formatted link (e.g., [URL](URL)) and the hint text instructs presenting that exact formatted value; tests added to validate JSON and plain-text outputs across modes.

Changes

Cohort / File(s)	Summary
Auth Login Output cmd/auth/login.go	For the --no-wait --json path, emit verification_url as a markdown-formatted link ([URL](URL)) and update the hint text to instruct users to present the formatted value verbatim (including backticks/markdown) before running the follow-up login command.
Test Coverage cmd/auth/login_test.go	Adds four tests: --no-wait --json expects exact markdown-wrapped verification_url and hint referencing verbatim/backtick instructions; interactive --json expects raw verification_uri_complete (no markdown companion field); plain-text output expects only a bare URL on stderr and excludes autolink forms; stubs token polling for interactive JSON flow.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix: correct URL formatting in login --no-wait output #169: Modifies JSON output handling for the auth login verification URL; touches the same output formatting area.

Suggested reviewers

• albertnusouo

Poem

"I found a link in brackets bright,
Clickable like morning light,
Tests hop forward, prints just so,
Show it verbatim, don't let it go —
A rabbit cheers the formatted flow! 🐇"

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 14.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: wrapping the verification URL as markdown autolink in the no-wait output path.
Description check	✅ Passed	The description is comprehensive and well-structured, covering all template sections with clear motivation, detailed changes, thorough test plan with checkmarks, and related issues noted as N/A.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/auth-login-md-url

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 63.82%. Comparing base (6bb988a) to head (dd9d06f).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #703      +/-   ##
==========================================
+ Coverage   63.80%   63.82%   +0.02%     
==========================================
  Files         500      500              
  Lines       43531    43531              
==========================================
+ Hits        27773    27782       +9     
+ Misses      13317    13308       -9     
  Partials     2441     2441              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@dd9d06fed1f7e6e828a99a68bfc5d5d8032017db

🧩 Skill update

npx skills add larksuite/cli#feat/auth-login-md-url -y -g

[coderabbitai]

🧹 Nitpick comments (2)

cmd/auth/login_test.go (1)

995-1003: Tighten hint assertions to protect the exact contract text.

At Line 995, checking broad tokens ("verbatim", "backtick") may still pass if critical phrasing regresses. Consider asserting the exact structural phrase and guardrail text.

Suggested assertion tightening

 	for _, want := range []string{
 		"verification_url",
 		"verbatim",
-		"backtick",
+		"`[`URL`](URL)`",
+		"Do not unwrap, escape, or rewrite",
 	} {

As per coding guidelines, “Design CLI flags, help text, and error messages with AI agent consumption in mind” and “Every behavior change must have an accompanying test.”

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/auth/login_test.go` around lines 995 - 1003, The current test loop that
inspects the variable hint (in cmd/auth/login_test.go) is too loose — replace
the loose token checks for "verbatim" and "backtick" with assertions that match
the exact expected guardrail/help phrasing (or a precise regexp) so the test
enforces the exact contract text; update the loop that iterates over the
[]string and the t.Fatalf message to check for the full expected substrings
(e.g., the exact structural phrase containing the verification_url and the
verbatim/backtick guidance) or add separate assertions that validate the
complete lines verbatim, ensuring the test fails on any phrasing regression.

cmd/auth/login.go (1)

233-233: Harden markdown destination formatting for edge-case URLs.

At Line 233, the markdown destination is inserted as raw (URL). If the URL contains ), some markdown parsers can truncate the link target. Prefer angle-bracket destinations to preserve full parsing.

Proposed hardening

-		data := map[string]interface{}{
-			"verification_url": "[`" + authResp.VerificationUriComplete + "`](" + authResp.VerificationUriComplete + ")",
+		completeURL := authResp.VerificationUriComplete
+		data := map[string]interface{}{
+			"verification_url": "[`" + completeURL + "`](<" + completeURL + ">)",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/auth/login.go` at line 233, Replace the raw markdown link destination
"(URL)" with an angle-bracketed destination "(<URL>)" to avoid truncation when
the URL contains ")" — specifically update the string construction that uses
authResp.VerificationUriComplete (the expression currently building "`" +
authResp.VerificationUriComplete + "`](" + authResp.VerificationUriComplete +
")") so the destination becomes "(<" + authResp.VerificationUriComplete + ">)",
e.g. "[`<url>`](<url>)" style, leaving the visible text unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@cmd/auth/login_test.go`:
- Around line 995-1003: The current test loop that inspects the variable hint
(in cmd/auth/login_test.go) is too loose — replace the loose token checks for
"verbatim" and "backtick" with assertions that match the exact expected
guardrail/help phrasing (or a precise regexp) so the test enforces the exact
contract text; update the loop that iterates over the []string and the t.Fatalf
message to check for the full expected substrings (e.g., the exact structural
phrase containing the verification_url and the verbatim/backtick guidance) or
add separate assertions that validate the complete lines verbatim, ensuring the
test fails on any phrasing regression.

In `@cmd/auth/login.go`:
- Line 233: Replace the raw markdown link destination "(URL)" with an
angle-bracketed destination "(<URL>)" to avoid truncation when the URL contains
")" — specifically update the string construction that uses
authResp.VerificationUriComplete (the expression currently building "`" +
authResp.VerificationUriComplete + "`](" + authResp.VerificationUriComplete +
")") so the destination becomes "(<" + authResp.VerificationUriComplete + ">)",
e.g. "[`<url>`](<url>)" style, leaving the visible text unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 67a2d421-9300-4fac-8141-717ec216e238

📥 Commits

Reviewing files that changed from the base of the PR and between 4e2baf7 and dd9d06f.

📒 Files selected for processing (2)

• cmd/auth/login.go
• cmd/auth/login_test.go