Lark CLI configuration, authentication, and operational guidelines for agent workflows.

• Requires initial setup via lark-cli config init --new; generate QR codes for all verification URLs using lark-cli auth qrcode before sharing with users
• Supports two identity types—user (personal resources via auth login) and bot (application-level via appId/appSecret)—with distinct permission models; confirm identity matches the operation's intent
• Handle permission errors differently by identity: bot requires backend scope setup (provide console_url), user requires auth login --scope or --domain with explicit scope specification
• Use split-flow for agent-initiated auth: execute --no-wait --json to get verification URL and device code, display to user, then execute --device-code in a follow-up step after user confirms completion
• High-risk write operations require explicit user confirmation; when CLI exits with code 10 and confirmation_required error, display the action details, obtain user consent, then retry with --yes appended to the original command