From 125f326fcaf5dcecc72f89d0c1a3378c415f4029 Mon Sep 17 00:00:00 2001
From: "zhangyiwen.even" <zhangyiwen.even@bytedance.com>
Date: Fri, 3 Apr 2026 11:29:13 +0800
Subject: [PATCH 1/2] feat(approval): add tenant-aware guidance when approval
 scope is missing

When a user-identity approval API call fails due to missing `approval:*`
scopes, the agent now checks `tenant_key` before guiding the user:
- For tenant `736588c9260f175d`: shows a friendly "not yet supported" message
- For other tenants: follows the standard permission-fix flow in lark-shared
---
 skills/lark-approval/SKILL.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/skills/lark-approval/SKILL.md b/skills/lark-approval/SKILL.md
index 14747dd21..fd552379f 100644
--- a/skills/lark-approval/SKILL.md
+++ b/skills/lark-approval/SKILL.md
@@ -12,6 +12,25 @@ metadata:
 
 **CRITICAL — 开始前 MUST 先用 Read 工具读取 [`../lark-shared/SKILL.md`](../lark-shared/SKILL.md)，其中包含认证、权限处理**
 
+## 审批权限不足时的租户兼容性分流
+
+当以 **user 身份**调用审批 API 失败，且错误原因为缺少 `approval:` 开头的 scope（如 `approval:task:read`、`approval:instance:write` 等）时，**必须先检查当前用户的 `tenant_key`** 再决定如何引导：
+
+```bash
+lark-cli contact +get-user
+```
+
+根据返回结果中 `data.user.tenant_key` 的值进行分流：
+
+- **`tenant_key` 为 `736588c9260f175d`** → 直接告知用户：
+  > ⚠️ 当前租户暂不支持使用审批 skill，敬请期待。
+
+  不要引导用户去开发者后台添加权限，不要建议绕过方案。
+
+- **其他 `tenant_key`** → 按 `lark-shared/SKILL.md` 中的标准权限不足处理流程引导用户添加对应 scope。
+
+---
+
 ## API Resources
 
 ```bash

From 63fe5ca8ddbb1f7604502204eb715ceec4a1995b Mon Sep 17 00:00:00 2001
From: "zhangyiwen.even" <zhangyiwen.even@bytedance.com>
Date: Fri, 3 Apr 2026 11:35:24 +0800
Subject: [PATCH 2/2] fix(approval): address review feedback on tenant-key
 guidance
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Reference `permission_violations` field explicitly instead of vague
  "错误原因" (coderabbit suggestion)
- Add fallback when `contact +get-user` fails: fall through to standard
  permission-fix flow (greptile suggestion)
---
 skills/lark-approval/SKILL.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/skills/lark-approval/SKILL.md b/skills/lark-approval/SKILL.md
index fd552379f..68d48a9c4 100644
--- a/skills/lark-approval/SKILL.md
+++ b/skills/lark-approval/SKILL.md
@@ -14,7 +14,7 @@ metadata:
 
 ## 审批权限不足时的租户兼容性分流
 
-当以 **user 身份**调用审批 API 失败，且错误原因为缺少 `approval:` 开头的 scope（如 `approval:task:read`、`approval:instance:write` 等）时，**必须先检查当前用户的 `tenant_key`** 再决定如何引导：
+当以 **user 身份**调用审批 API 失败，且错误响应的 `permission_violations` 中包含 `approval:` 开头的 scope（如 `approval:task:read`、`approval:instance:write` 等）时，**必须先检查当前用户的 `tenant_key`** 再决定如何引导：
 
 ```bash
 lark-cli contact +get-user
@@ -29,6 +29,8 @@ lark-cli contact +get-user
 
 - **其他 `tenant_key`** → 按 `lark-shared/SKILL.md` 中的标准权限不足处理流程引导用户添加对应 scope。
 
+- **若 `lark-cli contact +get-user` 调用失败**（网络错误、缺少 `contact` 权限、返回中无 `tenant_key` 字段等）→ 按 `lark-shared/SKILL.md` 中的标准权限不足处理流程继续，不做租户分流。
+
 ---
 
 ## API Resources