fix(mail): add missing event scope for mail watch

[chanthuang]

Summary

• Add mail:user_mailbox.event.mail_address:read to mail +watch's declared Scopes
• Add the same scope to scope_overrides.json recommend.allow list

Problem

The mail +watch shortcut was missing the mail:user_mailbox.event.mail_address:read scope. Without it, WebSocket event payloads arrive without the mail_address field, which breaks:

• --mailbox filtering (cannot match events to the subscribed mailbox)
• fetchMailbox resolution (falls back to the --mailbox flag value instead of the event's actual mailbox address)

The scope was also absent from the auto-approve list, so auth login --recommend would not request it.

Test plan

• go build ./... passes
• go test ./shortcuts/mail/... ./internal/registry/... passes
• Manual: auth login --recommend now includes mail:user_mailbox.event.mail_address:read in requested scopes
• Manual: mail +watch events contain mail_address field after re-login

Summary by CodeRabbit

• Chores
  • Updated Mail Watch permission scopes to enable event-based mail address reads and broader mailbox read access. This improves email event handling and ensures address-level data can be accessed when monitoring mail, enhancing reliability of mail-related shortcuts and notifications for end users.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 724f2604-0b9a-413a-b2ce-d5082ee1e63f

📥 Commits

Reviewing files that changed from the base of the PR and between b99b08e and 6f5a4b8.

📒 Files selected for processing (1)

• shortcuts/mail/mail_watch.go

---

📝 Walkthrough

Walkthrough

Added the event-based scope mail:user_mailbox.event.mail_address:read to the scope registry and updated the MailWatch shortcut scopes to include that event scope and mail:user_mailbox:readonly (while retaining existing message read scopes).

Changes

Cohort / File(s)	Summary
Scope Registry Configuration internal/registry/scope_overrides.json	Added mail:user_mailbox.event.mail_address:read to the recommend.allow list.
MailWatch Shortcut shortcuts/mail/mail_watch.go	Updated MailWatch Scopes: added mail:user_mailbox.event.mail_address:read and mail:user_mailbox:readonly; existing message read scopes remain present.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• fix(mail): on-demand scope checks and watch event filtering #198: Modifies the MailWatch shortcut OAuth scopes in shortcuts/mail/mail_watch.go, likely overlapping scope changes.

Suggested reviewers

• infeng

Poem

🐰 A tiny hop to scope anew,
Event and mailbox added too.
MailWatch perks up its twitching ear,
Watching addresses far and near.
📫✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a missing event scope for the mail watch feature.
Description check	✅ Passed	The description covers all required template sections: Summary explains what was added and why, Changes lists the modifications, Test Plan includes verification steps, and Related Issues is noted.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/mail-watch-event-scope

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR fixes two missing scope declarations for mail +watch: mail:user_mailbox.event.mail_address:read (needed for event payload mailbox filtering) is added to both the shortcut's Scopes list and scope_overrides.json's recommend.allow, and mail:user_mailbox:readonly (needed for fetchMailboxPrimaryEmail when --mailbox me) is added to the shortcut's Scopes. Both additions are correct — mail:user_mailbox.event.mail_address:read has recommend: \"false\" in scope_priorities.json so the recommend.allow entry is required, while mail:user_mailbox:readonly already has recommend: \"true\" in scope_priorities.json so no recommend.allow entry is needed.

Confidence Score: 5/5

Safe to merge — targeted scope fixes with no logic changes and no P0/P1 findings.

Both scope additions are correct and complete: mail:user_mailbox.event.mail_address:read is properly added to both the shortcut Scopes and recommend.allow (since scope_priorities.json marks it recommend=false), and mail:user_mailbox:readonly is correctly added only to Scopes (since scope_priorities.json already marks it recommend=true). No inline comments warranted.

No files require special attention.

Vulnerabilities

No security concerns identified. The changes add OAuth scope declarations and an auto-approve allowlist entry; no secrets, input handling, or auth boundary logic is modified.

Important Files Changed

Filename	Overview
shortcuts/mail/mail_watch.go	Adds mail:user_mailbox.event.mail_address:read and mail:user_mailbox:readonly to the shortcut's declared Scopes; both are functionally required and correctly scoped.
internal/registry/scope_overrides.json	Adds mail:user_mailbox.event.mail_address:read to recommend.allow, correctly overriding the platform's recommend: "false" so auth login --recommend requests it.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[auth login --recommend] --> B[LoadAutoApproveSet]
    B --> C[scope_priorities.json recommend=true]
    B --> D[scope_overrides.json recommend.allow]
    D --> E[mail:user_mailbox.event.mail_address:read added by PR]
    F[mail +watch --mailbox me] --> G[fetchMailboxPrimaryEmail\nrequires mail:user_mailbox:readonly]
    F --> H[WebSocket connect]
    H --> I[Event received with mail_address field]
    I --> J[Filter by mailbox]
    J --> K[Emit matching event to stdout]

Loading

_{Reviews (2): Last reviewed commit: "fix(mail): add missing mailbox profile s..." | Re-trigger Greptile}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

shortcuts/mail/mail_watch.go (1)

182-210: ⚠️ Potential issue | 🟠 Major

Use vfs.* instead of os.* for filesystem operations.

Lines 182-183 use os.UserHomeDir() and line 203 uses os.MkdirAll(). As per coding guidelines, all filesystem access should use vfs.* instead of os.* to support virtual filesystem abstractions for testing and sandboxing.

📁 Proposed fix to use vfs package

Check if the vfs package is imported and available, then replace:

-			home, err := os.UserHomeDir()
+			home, err := vfs.UserHomeDir()
 			if err != nil {
 				return fmt.Errorf("cannot expand ~: %w", err)

-		if err := os.MkdirAll(outputDir, 0700); err != nil {
+		if err := vfs.MkdirAll(outputDir, 0700); err != nil {
 			return fmt.Errorf("cannot create output directory %q: %w", outputDir, err)

As per coding guidelines: Use vfs.* instead of os.* for all filesystem access.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@shortcuts/mail/mail_watch.go` around lines 182 - 210, Replace direct os
package filesystem calls with the vfs equivalents: call vfs.UserHomeDir()
instead of os.UserHomeDir(), vfs.MkdirAll(outputDir, 0700) instead of
os.MkdirAll(...), and use vfs.EvalSymlinks(outputDir) instead of
filepath.EvalSymlinks so the code honors the virtual filesystem abstraction;
keep the same error handling and assignment to outputDir, and ensure the vfs
package is imported and used around the existing logic that also calls
validate.SafeOutputPath and manipulates the outputDir variable.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@shortcuts/mail/mail_watch.go`:
- Line 84: The Scopes array in mail_watch.go is missing the required
"mail:user_mailbox:readonly" permission which causes
fetchMailboxPrimaryEmail(runtime, "me") to fail when mailbox defaults to "me";
update the Scopes slice (the Scopes: []string{...} declaration) to include
"mail:user_mailbox:readonly" alongside the existing mail scopes so the default
mailbox resolution and event filtering have the necessary readonly mailbox
access.

---

Outside diff comments:
In `@shortcuts/mail/mail_watch.go`:
- Around line 182-210: Replace direct os package filesystem calls with the vfs
equivalents: call vfs.UserHomeDir() instead of os.UserHomeDir(),
vfs.MkdirAll(outputDir, 0700) instead of os.MkdirAll(...), and use
vfs.EvalSymlinks(outputDir) instead of filepath.EvalSymlinks so the code honors
the virtual filesystem abstraction; keep the same error handling and assignment
to outputDir, and ensure the vfs package is imported and used around the
existing logic that also calls validate.SafeOutputPath and manipulates the
outputDir variable.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 850c59a6-6d50-44a6-a11e-b639e9207771

📥 Commits

Reviewing files that changed from the base of the PR and between af83e54 and b99b08e.

📒 Files selected for processing (2)

• internal/registry/scope_overrides.json
• shortcuts/mail/mail_watch.go

[github-actions]

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@6f5a4b8241415386075d10adecf16e87252a56c3

🧩 Skill update

npx skills add larksuite/cli#fix/mail-watch-event-scope -y -g