larksuite · herbertliu · Apr 10, 2026 · Apr 10, 2026 · Apr 10, 2026 · Apr 11, 2026
diff --git a/.gitignore b/.gitignore
@@ -36,3 +36,4 @@ tests/mail/reports/
 internal/registry/meta_data.json
 cmd/api/download.bin
 app.log
+.tmp/
diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -14,3 +14,4 @@ id = "lark-session-token"
 description = "Detect Lark session tokens"
 regex = '''\bXN0YXJ0-[A-Za-z0-9_-]+-WVuZA\b'''
 keywords = ["XN0YXJ0-", "-WVuZA"]
+
diff --git a/Makefile b/Makefile
@@ -8,7 +8,9 @@ DATE     := $(shell date +%Y-%m-%d)
 LDFLAGS  := -s -w -X $(MODULE)/internal/build.Version=$(VERSION) -X $(MODULE)/internal/build.Date=$(DATE)
 PREFIX   ?= /usr/local
 
-.PHONY: build vet test unit-test integration-test install uninstall clean fetch_meta
+.PHONY: all build vet test unit-test integration-test install uninstall clean fetch_meta gitleaks
+
+all: test
 
 fetch_meta:
 	python3 scripts/fetch_meta.py
@@ -37,3 +39,13 @@ uninstall:
 
 clean:
 	rm -f $(BINARY)
+
+# Run secret-leak checks locally before pushing.
+# Step 1: check-doc-tokens catches realistic-looking example tokens in reference
+#         docs and asks you to use _EXAMPLE_TOKEN placeholders instead.
+# Step 2: gitleaks scans the full repo for real leaked secrets.
+# Install gitleaks: https://github.com/gitleaks/gitleaks#installing
+gitleaks:
+	@bash scripts/check-doc-tokens.sh
+	@command -v gitleaks >/dev/null 2>&1 || { echo "gitleaks not found. Install: brew install gitleaks"; exit 1; }
+	gitleaks detect --redact -v --exit-code=2
diff --git a/scripts/check-doc-tokens.sh b/scripts/check-doc-tokens.sh
@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+# Copyright (c) 2026 Lark Technologies Pte. Ltd.
+# SPDX-License-Identifier: MIT
+#
+# check-doc-tokens.sh
+#
+# Scans skill reference docs for token-like values that look realistic but
+# are not using the required placeholder format (*_EXAMPLE_TOKEN or similar).
+#
+# Real token patterns (Lark API) often look like:
+#   wikcnXXXXXXXXX  doccnXXXXXXX  shtcnXXX  fldcnXXX  ou_XXXX  cli_XXXX
+#
+# Docs MUST use clearly fake placeholders, e.g.:
+#   wikcn_EXAMPLE_TOKEN   doccn_EXAMPLE_TOKEN   <space_id>   your_token_here
+#
+# If this check fails, replace the realistic-looking value with a placeholder
+# like `wikcn_EXAMPLE_TOKEN` so gitleaks CI won't flag it as a real secret.
+
+set -euo pipefail
+
+SKILLS_DIR="${1:-skills}"
+ERRORS=0
+
+# Patterns that indicate a realistic-looking Lark token value inside a string.
+# Matches JSON-style: "field": "token_value" or markdown backtick spans.
+# Token prefixes used by Lark Open Platform:
+#   wikcn  doccn  docx  shtcn  bascn  fldcn  vewcn  tbln  ou_  cli_  obcn  flec
+#
+# Excluded (clearly fake):
+#   - Values ending with EXAMPLE_TOKEN  (e.g. wikcn_EXAMPLE_TOKEN)
+#   - Values that are all uppercase X   (e.g. bascnXXXXXXXX)
+#   - Values containing only X/_/<>     (e.g. <your_token>)
+# Require at least one digit in the suffix — real API tokens are always alphanumeric
+# with digits. Pure-letter suffixes (e.g. ou_manager, ou_director) are clearly fake names.
+REALISTIC_TOKEN_RE='"(wikcn|doccn|docx[a-z]|shtcn|bascn|fldcn|vewcn|tbln|obcn|flec|ou_|cli_)[A-Za-z0-9]*[0-9][A-Za-z0-9]{3,}"|`(wikcn|doccn|docx[a-z]|shtcn|bascn|fldcn|vewcn|tbln|obcn|flec|ou_|cli_)[A-Za-z0-9]*[0-9][A-Za-z0-9]{3,}`'
+PLACEHOLDER_RE='(EXAMPLE|_TOKEN|XXXX|xxxx|<|>|your_|_here)'
+
+while IFS= read -r -d '' file; do
+  # grep returns exit 1 when no match — use || true to avoid set -e killing us
+  # Then filter out values that are clearly placeholders (EXAMPLE, XXXX, etc.)
+  matches=$(grep -nEo "$REALISTIC_TOKEN_RE" "$file" 2>/dev/null | grep -vE "$PLACEHOLDER_RE" || true)
+  if [[ -n "$matches" ]]; then
+    echo ""
+    echo "❌  $file"
+    echo "    Contains realistic-looking token values that may trigger gitleaks:"
+    while IFS= read -r line; do
+      echo "      $line"
+    done <<< "$matches"
+    echo "    → Replace with a placeholder, e.g.: wikcn_EXAMPLE_TOKEN, doccn_EXAMPLE_TOKEN"
+    ERRORS=$((ERRORS + 1))
+  fi
+done < <(find "$SKILLS_DIR" -path "*/references/*.md" -print0)
+
+if [[ $ERRORS -gt 0 ]]; then
+  echo ""
+  echo "❌  check-doc-tokens: $ERRORS file(s) contain realistic token values in reference docs."
+  echo "    Use _EXAMPLE_TOKEN placeholders to avoid false positives in gitleaks CI."
+  exit 1
+else
+  echo "✅  check-doc-tokens: all reference docs use safe placeholder tokens."
+fi
diff --git a/shortcuts/wiki/shortcuts.go b/shortcuts/wiki/shortcuts.go
@@ -10,5 +10,8 @@ func Shortcuts() []common.Shortcut {
 	return []common.Shortcut{
 		WikiMove,
 		WikiNodeCreate,
+		WikiSpaceList,
+		WikiNodeList,
+		WikiNodeCopy,
 	}
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -36,3 +36,4 @@ tests/mail/reports/ @@
     internal/registry/meta_data.json
     cmd/api/download.bin
     app.log
+    .tmp/
Original file line number	Diff line number	Diff line change
Expand Up		@@ -14,3 +14,4 @@ id = "lark-session-token"
		description = "Detect Lark session tokens"
		regex = '''\bXN0YXJ0-[A-Za-z0-9_-]+-WVuZA\b'''
		keywords = ["XN0YXJ0-", "-WVuZA"]