chore: add depguard and forbidigo lint rules for FileIO adoption

[tuxedomm]

Summary

• Add depguard linter to block shortcuts/ from importing internal/vfs directly — new code must use runtime.FileIO()
• Update forbidigo messages to provide layered guidance: internal/ → use vfs, shortcuts/ → use FileIO
• Add filepath.(EvalSymlinks|Walk|WalkDir|Glob|Abs) interception
• Consolidate verbose per-function forbidigo patterns into compact regex groups

CI uses --new-from-rev=origin/main so only new/modified code is checked — no impact on existing files.

Test plan

• golangci-lint run --new-from-rev=origin/main ./shortcuts/... — 0 issues
• CI lint job passes

Summary by CodeRabbit

• Chores
  • Strengthened linting configuration with an added linter and targeted exclusions for tests.
  • Introduced import restrictions preventing direct imports of internal filesystem helpers from shortcut code.
  • Consolidated and simplified forbidden patterns for OS and filesystem operations, with clarified guidance messages directing developers to approved helpers.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds depguard to .golangci.yml with a rule denying **/shortcuts/** from importing internal/vfs packages, and consolidates many forbidigo rules into regex-based forbids for os and filepath functions (including added filepath restrictions and adjusted messages).

Changes

Cohort / File(s)	Summary
Linter Configuration .​golangci.yml	Adds depguard linter and rule blocking **/shortcuts/** from importing github.com/larksuite/cli/internal/vfs and .../internal/vfs/localfileio. Replaces many individual forbidigo os.* forbids with consolidated regex patterns, adds `filepath.(EvalSymlinks

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I nibbled rules into a tidy line,
Guarding shortcuts from the VFS vine,
Regex hops, forbidden calls cease,
Linters hum — a quiet peace. 🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding depguard and forbidigo lint rules for FileIO adoption, matching the core modifications to .golangci.yml.
Description check	✅ Passed	The description covers Summary, Changes, and Test Plan sections. However, it lacks the Related Issues section and uses checkboxes instead of the template format.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/fileio-lint-depguard

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR adds a depguard rule to block shortcuts/ from importing internal/vfs directly, consolidates verbose per-function forbidigo patterns into compact regex groups, and extends filesystem interception to filepath.(EvalSymlinks|Walk|WalkDir|Glob|Abs). The vfs.ReadDir() wrapper already exists (confirmed in internal/vfs/default.go), so consolidating os.ReadDir into the "already wrapped" group is correct.

Confidence Score: 5/5

Safe to merge; all remaining findings are P2 style suggestions that don't block merge.

The change is linting config only with no runtime code. The depguard rule is correctly scoped to shortcuts/, vfs.ReadDir() is verified to exist so the consolidation is accurate, and CI passes. The only open finding is a P2 gap in the filepath.Glob migration guidance.

No files require special attention.

Vulnerabilities

No security concerns identified. The changes are limited to linting configuration and enforce stricter import boundaries.

Important Files Changed

Filename	Overview
.golangci.yml	Adds depguard rule scoped to shortcuts/, consolidates forbidigo regex patterns, and extends filepath interception; one gap: filepath.Glob is blocked but vfs.Glob() does not yet exist, leaving internal/ developers without a concrete migration path

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["New / Modified Code"] --> B{Layer?}
    B -->|"shortcuts/**"| C["forbidigo check\nos.*, filepath.*"]
    B -->|"shortcuts/**"| D["depguard check\nno internal/vfs imports"]
    B -->|"internal/**\n(except vfs/)"| E["forbidigo check\nos.*, filepath.*"]
    B -->|"Other layers\n(cmd/, etc.)"| F["forbidigo: excluded\ndepguard: not scoped here"]
    B -->|"_test.go (any)"| G["Both linters: excluded"]
    C --> H{"Violation?"}
    D --> H
    E --> H
    H -->|os.Stat/Open/…| I["→ vfs.Xxx()"]
    H -->|os.Create/Temp| J["→ vfs.CreateTemp() or streaming"]
    H -->|os.Mkdir| K["→ vfs.MkdirAll()"]
    H -->|filepath.Walk/Glob/…| L["→ vfs helpers / runtime.FileIO()"]
    H -->|"import internal/vfs\n(shortcuts only)"| M["→ runtime.FileIO()"]

Loading

_{Reviews (2): Last reviewed commit: "chore: add depguard and forbidigo rules ..." | Re-trigger Greptile}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.golangci.yml:
- Around line 92-98: Remove the duplicate os\.Exit pattern (one of the two
identical rules for os\.Exit\b) and resolve the shadowing between the broad
os\.Std(in|out|err)\b rule and the specific os\.Stdin\b / os\.Stdout\b /
os\.Stderr\b rules: either delete the broad os\.Std(in|out|err)\b entry so the
specific messages for os.Stdin/os.Stdout/os.Stderr (e.g., the
IOStreams.In/Out/ErrOut guidance) remain effective, or delete the specific
os\.Stdin/os\.Stdout/os\.Stderr entries if you prefer the single generic
message—do not keep both.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3ca142c7-f0df-4257-b422-a0a3f7c781fa

📥 Commits

Reviewing files that changed from the base of the PR and between 63ea52b and e87cb69.

📒 Files selected for processing (1)

• .golangci.yml

[github-actions]

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@b534fb0714617832e61c86c0d1fe5aae15ad8bf2

🧩 Skill update

npx skills add larksuite/cli#feat/fileio-lint-depguard -y -g

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.golangci.yml (1)

66-72: Mention ResolveSavePath() for write-path migrations.

shortcuts/common/runner.go:318-331 documents ResolveSavePath() as the shortcut helper for output paths, while ValidatePath() is for input-path validation. The current lint text only points to ValidatePath() / FileIO(), so save-path migrations will get incomplete guidance.

Also applies to: 103-108

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.golangci.yml around lines 66 - 72, Update the lint rule descriptions to
mention ResolveSavePath() as the helper for write/save path migrations in
addition to calling out runtime.ValidatePath() for input-path validation and
runtime.FileIO() for file operations; specifically, replace or augment
references to ValidatePath()/FileIO() in the existing messages (the ones that
currently forbid importing internal/vfs or internal/vfs/localfileio) to include
ResolveSavePath() so authors get correct guidance for output paths when
migrating shortcuts.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.golangci.yml:
- Around line 75-94: The rules for os.* patterns conflict with the new depguard
rule forbidding internal/vfs imports from shortcuts/, so update .golangci.yml to
remove the conflicting remediation: either split the existing
os\.(Stat|Lstat|Open|OpenFile|Rename|ReadFile|WriteFile|Getwd|UserHomeDir|ReadDir)\b
and related patterns into two path-scoped rules (one targeting internal/ with
messages pointing to internal/vfs and one targeting shortcuts/ with messages
pointing to runtime.FileIO()/runtime.ValidatePath()), or change the messages for
all shortcuts/ entries (e.g., the messages attached to patterns like
os\.(Create|CreateTemp|MkdirTemp)\b, os\.Mkdir(All)?\b, os\.Remove\b,
os\.RemoveAll\b,
os\.(Chdir|Chmod|Chown|Lchown|Chtimes|CopyFS|DirFS|Link|Symlink|Readlink|Truncate|SameFile)\b)
to reference runtime.FileIO()/runtime.ValidatePath() instead of internal/vfs so
the linter guidance no longer conflicts with depguard.

---

Nitpick comments:
In @.golangci.yml:
- Around line 66-72: Update the lint rule descriptions to mention
ResolveSavePath() as the helper for write/save path migrations in addition to
calling out runtime.ValidatePath() for input-path validation and
runtime.FileIO() for file operations; specifically, replace or augment
references to ValidatePath()/FileIO() in the existing messages (the ones that
currently forbid importing internal/vfs or internal/vfs/localfileio) to include
ResolveSavePath() so authors get correct guidance for output paths when
migrating shortcuts.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 52762801-f01e-4957-956e-4321bc28ee47

📥 Commits

Reviewing files that changed from the base of the PR and between e87cb69 and b534fb0.

📒 Files selected for processing (1)

• .golangci.yml