@lark-apaas/openclaw-scripts-diagnose-cli 0.1.1-alpha.0

package/LICENSE

@@ -0,0 +1,13 @@
+MIT License
+
+Copyright (c) 2024 Lark Technologies Pte. Ltd. and/or its affiliates
+
+Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted,provided that the above copyright notice and this permission notice appear in all copies.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE
+INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO
+EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
+DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

package/README.md

@@ -0,0 +1,121 @@
+# @lark-apaas/openclaw-scripts-diagnose-cli
+
+OpenClaw 配置诊断与修复 CLI，支持 JSON5 格式。
+
+## 使用方式
+
+```bash
+# 检查模式：校验 openclaw 配置
+npx -y @lark-apaas/openclaw-scripts-diagnose-cli check --ctx='<base64编码的JSON>'
+
+# 修复模式：修复失败的规则
+npx -y @lark-apaas/openclaw-scripts-diagnose-cli repair --ctx='<base64编码的JSON>'
+```
+
+## 架构
+
+```
+@Rule() 装饰器注册
+       ↓
+  依赖图拓扑排序
+       ↓
+  按依赖顺序执行 validate / repair
+       ↓
+  输出 JSON 结果到 stdout
+```
+
+### 规则引擎
+
+- **`DiagnoseRule`** 抽象基类：每个规则实现 `validate()` 和可选的 `repair()`
+- **`@Rule(meta)`** 装饰器：声明规则元信息（key、dependsOn、repairMode、skipWhen），自动注册到全局注册表
+- **依赖图**：框架通过 `dependsOn` 拓扑排序，依赖失败则跳过当前规则
+
+### 修复模式（RepairMode）
+
+| 模式 | 说明 | 脚本行为 |
+|------|------|---------|
+| `standard` | 可自动修复 | 调用 `repair()` 方法 |
+| `ai` | 需 AI/人工介入 | 仅返回 `{ rule_name, detail }` |
+| `reset` | 需外部重置 | 仅返回 `{ rule_name, detail }` |
+
+## 规则列表
+
+### 依赖关系图
+
+```
+multi_process_detect              config_file_recover
+(无依赖)                              (无依赖)
+                                       ↓
+                                 config_file_missing
+                                       ↓
+                                 config_syntax_check
+                                  ↙  ↙    ↓    ↘  ↘
+                        model_  secret_ feishu  gateway  allowed_
+                        provider provider channel         origins
+                          ↓        ↓
+                       jwt_token secrets_file
+```
+
+### 规则详情
+
+| 规则 Key | RepairMode | dependsOn | skipWhen | 说明 |
+|----------|-----------|-----------|----------|------|
+| `multi_process_detect` | standard | — | — | 检测多个 openclaw-gateway 进程 |
+| `config_file_recover` | standard | — | — | 配置文件缺失但有 `.bak` 备份，从最高编号备份恢复 |
+| `config_file_missing` | reset | `config_file_recover` | — | 配置文件缺失且无备份 |
+| `config_syntax_check` | ai | `config_file_recover`, `config_file_missing` | — | JSON5 语法校验 |
+| `model_provider` | standard | `config_syntax_check` | 未使用 miaoda 模型 | 模型 Provider 配置 |
+| `secret_provider` | standard | `config_syntax_check` | 未使用 miaoda 或无 provider 引用 | 密钥 Provider 配置 |
+| `feishu_channel` | standard | `config_syntax_check` | — | 飞书渠道配置 |
+| `gateway` | standard | `config_syntax_check` | — | 网关配置（port、auth、controlUi） |
+| `allowed_origins` | standard | `config_syntax_check` | — | CORS 来源配置 |
+| `jwt_token` | standard | `config_syntax_check` | apiKey 未引用 miaoda-provider | JWT Token 有效期 |
+| `secrets_file` | standard | `config_syntax_check` | 无字段引用 miaoda-secret-provider | 密钥文件内容校验 |
+
+## Check 输出格式
+
+```json
+{
+  "failedRules": {
+    "standard": ["gateway", "feishu_channel"],
+    "ai": [{ "rule_name": "config_syntax_check", "detail": "JSON5 语法错误..." }],
+    "reset": []
+  }
+}
+```
+
+## 扩展新规则
+
+1. 在 `src/rules/` 下新建文件
+2. 实现 `@Rule()` 装饰的类：
+
+```typescript
+@Rule({
+  key: 'my_new_rule',
+  dependsOn: ['config_syntax_check'],
+  repairMode: 'standard',
+})
+class MyNewRule extends DiagnoseRule {
+  validate(ctx: RuleContext): RuleResult {
+    // 检查逻辑
+  }
+  repair(ctx: RuleContext): void {
+    // 修复逻辑（仅 standard 模式需要）
+  }
+}
+```
+
+3. 在 `src/rules/index.ts` 加一行 `import './my-new-rule.js'`
+
+## 开发
+
+```bash
+# 构建
+npm run build
+
+# 单元测试
+npm test
+
+# 集成测试（需要 Docker）
+npm run test:integration
+```

package/dist/index.cjs

@@ -0,0 +1,1008 @@
+#!/usr/bin/env node
+//#region \0rolldown/runtime.js
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+	if (from && typeof from === "object" || typeof from === "function") for (var keys = __getOwnPropNames(from), i = 0, n = keys.length, key; i < n; i++) {
+		key = keys[i];
+		if (!__hasOwnProp.call(to, key) && key !== except) __defProp(to, key, {
+			get: ((k) => from[k]).bind(null, key),
+			enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+		});
+	}
+	return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", {
+	value: mod,
+	enumerable: true
+}) : target, mod));
+//#endregion
+let node_process = require("node:process");
+node_process = __toESM(node_process);
+let json5 = require("json5");
+json5 = __toESM(json5);
+let node_fs = require("node:fs");
+node_fs = __toESM(node_fs);
+let node_path = require("node:path");
+node_path = __toESM(node_path);
+let node_child_process = require("node:child_process");
+//#region src/rule-engine/base.ts
+/** Abstract base class for all diagnose rules */
+var DiagnoseRule = class {
+	/** Metadata injected by @Rule() decorator */
+	get meta() {
+		return this._meta;
+	}
+	/** Fix the issue. Mutates ctx.config in-place. Default: no-op */
+	repair(_ctx) {}
+};
+const ruleRegistry = [];
+/** Class decorator: register a rule with metadata */
+function Rule(meta) {
+	return function(target) {
+		target.prototype._meta = meta;
+		ruleRegistry.push(target);
+		return target;
+	};
+}
+/** Get all registered rule instances, topologically sorted by dependsOn */
+function getAllRules() {
+	return topoSort(ruleRegistry.map((Ctor) => new Ctor()));
+}
+function topoSort(rules) {
+	const keyMap = /* @__PURE__ */ new Map();
+	const inDegree = /* @__PURE__ */ new Map();
+	const adj = /* @__PURE__ */ new Map();
+	for (const rule of rules) {
+		keyMap.set(rule.meta.key, rule);
+		inDegree.set(rule.meta.key, (rule.meta.dependsOn || []).length);
+		for (const dep of rule.meta.dependsOn || []) {
+			if (!adj.has(dep)) adj.set(dep, []);
+			adj.get(dep).push(rule.meta.key);
+		}
+	}
+	const queue = [...keyMap.keys()].filter((k) => inDegree.get(k) === 0);
+	const sorted = [];
+	while (queue.length > 0) {
+		const key = queue.shift();
+		sorted.push(keyMap.get(key));
+		for (const dependent of adj.get(key) || []) {
+			inDegree.set(dependent, inDegree.get(dependent) - 1);
+			if (inDegree.get(dependent) === 0) queue.push(dependent);
+		}
+	}
+	return sorted;
+}
+//#endregion
+//#region src/utils.ts
+/**
+* Navigate nested object by keys, returning the value if it's a non-array object,
+* or undefined otherwise.
+*/
+function getNestedMap(obj, ...keys) {
+	let current = obj;
+	for (const key of keys) {
+		if (current == null || typeof current !== "object") return void 0;
+		current = current[key];
+	}
+	return current != null && typeof current === "object" && !Array.isArray(current) ? current : void 0;
+}
+/**
+* Recursively check that all entries in `expected` match those in `actual`.
+* Values are compared via String() coercion; nested objects recurse.
+*/
+function matchMap(actual, expected) {
+	if (actual == null || typeof actual !== "object") return false;
+	const actualObj = actual;
+	for (const [k, v] of Object.entries(expected)) {
+		const av = actualObj[k];
+		if (av === void 0) return false;
+		if (v != null && typeof v === "object" && !Array.isArray(v)) {
+			if (!matchMap(av, v)) return false;
+			continue;
+		}
+		if (String(av) !== String(v)) return false;
+	}
+	return true;
+}
+/** Check if a value is a provider reference pointing to `providerName`. */
+function isProviderRef(val, providerName) {
+	return val != null && typeof val === "object" && !Array.isArray(val) && val.provider === providerName;
+}
+/** Validate that a string is a non-expired JWT (3-part, base64url payload with numeric exp). */
+function isValidJWT(token) {
+	if (typeof token !== "string") return false;
+	const parts = token.split(".");
+	if (parts.length !== 3) return false;
+	try {
+		const exp = JSON.parse(Buffer.from(parts[1], "base64url").toString("utf-8")).exp;
+		if (typeof exp !== "number") return false;
+		return Date.now() < exp * 1e3;
+	} catch {
+		return false;
+	}
+}
+/** Set a deeply nested value, creating intermediate objects as needed. */
+function setNestedValue(obj, keys, value) {
+	let current = obj;
+	for (let i = 0; i < keys.length - 1; i++) {
+		const k = keys[i];
+		if (current[k] == null || typeof current[k] !== "object") current[k] = {};
+		current = current[k];
+	}
+	current[keys[keys.length - 1]] = value;
+}
+/** Analyze which miaoda providers the config references. */
+function analyzeProviderDeps(config) {
+	const deps = {
+		usesMiaodaProvider: false,
+		usesMiaodaSecretProvider: false
+	};
+	if (!config) return deps;
+	const miaoda = getNestedMap(config, "models", "providers", "miaoda");
+	if (miaoda) {
+		if (isProviderRef(miaoda.apiKey, "miaoda-provider")) deps.usesMiaodaProvider = true;
+		if (isProviderRef((typeof miaoda.headers === "object" && miaoda.headers || {})["x-api-key"], "miaoda-secret-provider")) deps.usesMiaodaSecretProvider = true;
+	}
+	const feishu = getNestedMap(config, "channels", "feishu");
+	if (feishu && isProviderRef(feishu.appSecret, "miaoda-secret-provider")) deps.usesMiaodaSecretProvider = true;
+	const auth = getNestedMap(config, "gateway", "auth");
+	if (auth && isProviderRef(auth.token, "miaoda-secret-provider")) deps.usesMiaodaSecretProvider = true;
+	return deps;
+}
+/** Check if the config uses miaoda models (agents.defaults.model.primary or agents.defaults.models). */
+function shouldCheckMiaodaRules(config) {
+	if (!config) return false;
+	const model = getNestedMap(config, "agents", "defaults", "model");
+	if (model && typeof model.primary === "string" && model.primary.startsWith("miaoda/")) return true;
+	const defaults = getNestedMap(config, "agents", "defaults");
+	if (defaults && defaults.models) {
+		if (typeof defaults.models === "object" && !Array.isArray(defaults.models)) {
+			for (const key of Object.keys(defaults.models)) if (key.startsWith("miaoda/")) return true;
+		}
+		if (Array.isArray(defaults.models)) {
+			for (const m of defaults.models) if (typeof m === "string" && m.startsWith("miaoda/")) return true;
+		}
+	}
+	return false;
+}
+/** Get the JSON5 parser (bundled as dependency). */
+function loadJSON5() {
+	return json5.default;
+}
+//#endregion
+//#region src/rule-engine/io.ts
+/** Read a text file, return content or throw */
+function readFile(filePath) {
+	return node_fs.default.readFileSync(filePath, "utf-8").trim();
+}
+/** Write a text file, creating parent dirs if needed */
+function writeFile(filePath, content) {
+	const dir = node_path.default.dirname(filePath);
+	if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
+	node_fs.default.writeFileSync(filePath, content, "utf-8");
+}
+/** Check if a file exists */
+function fileExists(filePath) {
+	return node_fs.default.existsSync(filePath);
+}
+/** Execute a shell command, return stdout. Throws on failure. */
+function shell(cmd, timeoutMs = 1e4) {
+	return (0, node_child_process.execSync)(cmd, {
+		encoding: "utf-8",
+		timeout: timeoutMs
+	}).trim();
+}
+//#endregion
+//#region \0@oxc-project+runtime@0.121.0/helpers/decorate.js
+function __decorate(decorators, target, key, desc) {
+	var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+	if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+	else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+	return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+//#endregion
+//#region src/rules/multi-process-detect.ts
+let ProcessStatusRule = class ProcessStatusRule extends DiagnoseRule {
+	validate(_ctx) {
+		try {
+			const output = shell("count=0; for pid in $(pgrep -f \"[o]penclaw-gateway\" 2>/dev/null); do comm=$(cat /proc/$pid/comm 2>/dev/null || true); case \"$comm\" in openclaw*) count=$((count+1));; esac; done; [ \"$count\" -gt 1 ] && echo \"multiple_gateway_processes:$count\" || true");
+			if (output.includes("multiple_gateway_processes")) return {
+				pass: false,
+				message: "multiple openclaw-gateway processes detected: " + output
+			};
+			return { pass: true };
+		} catch (e) {
+			return {
+				pass: false,
+				message: "process check exec failed: " + e.message
+			};
+		}
+	}
+};
+ProcessStatusRule = __decorate([Rule({
+	key: "multi_process_detect",
+	repairMode: "standard"
+})], ProcessStatusRule);
+//#endregion
+//#region src/rules/config-file-recover.ts
+/**
+* Find backup files matching `<configBaseName>.bak*` in the same directory.
+*/
+function findBackupFiles(configPath) {
+	const dir = node_path.default.dirname(configPath);
+	const baseName = node_path.default.basename(configPath);
+	try {
+		return node_fs.default.readdirSync(dir).filter((f) => f.startsWith(baseName + ".bak")).map((f) => node_path.default.join(dir, f));
+	} catch {
+		return [];
+	}
+}
+/**
+* Among backup files, find the one with the highest numeric suffix.
+* `.bak` (no number) is treated as 0, `.bak1` as 1, `.bak2` as 2, etc.
+*/
+function findHighestBackup(backupFiles) {
+	if (backupFiles.length === 0) return null;
+	const bakRegex = /\.bak(\d*)$/;
+	let best = null;
+	for (const f of backupFiles) {
+		const match = bakRegex.exec(f);
+		if (!match) continue;
+		const n = match[1] ? parseInt(match[1], 10) : 0;
+		if (!best || n > best.n) best = {
+			path: f,
+			n
+		};
+	}
+	return best?.path ?? null;
+}
+let ConfigFileBackupRule = class ConfigFileBackupRule extends DiagnoseRule {
+	validate(ctx) {
+		const configPath = ctx.config.__configPath;
+		if (!configPath) return {
+			pass: false,
+			message: "configPath not provided"
+		};
+		if (fileExists(configPath)) return { pass: true };
+		if (findBackupFiles(configPath).length > 0) return {
+			pass: false,
+			message: "配置文件不存在但发现备份文件, 可从备份恢复"
+		};
+		return { pass: true };
+	}
+	repair(ctx) {
+		const configPath = ctx.config.__configPath;
+		if (!configPath) return;
+		const best = findHighestBackup(findBackupFiles(configPath));
+		if (!best) return;
+		const content = readFile(best);
+		loadJSON5().parse(content);
+		writeFile(configPath, content);
+	}
+};
+ConfigFileBackupRule = __decorate([Rule({
+	key: "config_file_recover",
+	repairMode: "standard"
+})], ConfigFileBackupRule);
+//#endregion
+//#region src/rules/config-file-missing.ts
+/**
+* Check if backup files exist for the given config path.
+*/
+function hasBackupFiles(configPath) {
+	const dir = node_path.default.dirname(configPath);
+	const baseName = node_path.default.basename(configPath);
+	try {
+		return node_fs.default.readdirSync(dir).some((f) => f.startsWith(baseName + ".bak"));
+	} catch {
+		return false;
+	}
+}
+let ConfigFileMissingRule = class ConfigFileMissingRule extends DiagnoseRule {
+	validate(ctx) {
+		const configPath = ctx.config.__configPath;
+		if (!configPath) return {
+			pass: false,
+			message: "configPath not provided"
+		};
+		if (fileExists(configPath)) return { pass: true };
+		if (hasBackupFiles(configPath)) return { pass: true };
+		return {
+			pass: false,
+			message: `配置文件不存在且无备份文件, 请创建 ${configPath}`
+		};
+	}
+};
+ConfigFileMissingRule = __decorate([Rule({
+	key: "config_file_missing",
+	dependsOn: ["config_file_recover"],
+	repairMode: "reset"
+})], ConfigFileMissingRule);
+//#endregion
+//#region src/rules/config-syntax.ts
+let ConfigSyntaxRule = class ConfigSyntaxRule extends DiagnoseRule {
+	validate(ctx) {
+		const configPath = ctx.config.__configPath;
+		if (!fileExists(configPath)) return { pass: true };
+		try {
+			loadJSON5().parse(readFile(configPath));
+			return { pass: true };
+		} catch (e) {
+			return {
+				pass: false,
+				message: `配置文件语法不正确, ${e.message}, 请修复${configPath}`
+			};
+		}
+	}
+};
+ConfigSyntaxRule = __decorate([Rule({
+	key: "config_syntax_check",
+	dependsOn: ["config_file_recover", "config_file_missing"],
+	repairMode: "ai"
+})], ConfigSyntaxRule);
+//#endregion
+//#region src/rules/model-provider.ts
+var _ModelProviderRule;
+let ModelProviderRule = class ModelProviderRule extends DiagnoseRule {
+	static {
+		_ModelProviderRule = this;
+	}
+	static DEFAULT_API_KEY = {
+		source: "file",
+		provider: "miaoda-provider",
+		id: "value"
+	};
+	static DEFAULT_X_API_KEY_HEADER = {
+		source: "file",
+		provider: "miaoda-secret-provider",
+		id: "/models_providers_miaoda_headers_x_api_key"
+	};
+	static DEFAULT_API = "openai-completions";
+	static getExpectedBaseUrl(vars) {
+		return vars.baseURL + "/api/v1/sgw/model/proxy";
+	}
+	validate(ctx) {
+		const provider = getNestedMap(ctx.config, "models", "providers", "miaoda");
+		if (!provider) return {
+			pass: false,
+			message: "models.providers.miaoda not found"
+		};
+		const expected = this.getExpected(ctx.vars);
+		if (provider.baseUrl !== expected.baseUrl) return {
+			pass: false,
+			message: "baseUrl mismatch: got " + provider.baseUrl + ", expected " + expected.baseUrl
+		};
+		const expectedApiKey = expected.apiKey && typeof expected.apiKey === "object" ? expected.apiKey : null;
+		if (expectedApiKey) if (typeof provider.apiKey === "object" && provider.apiKey !== null && !Array.isArray(provider.apiKey)) {
+			if (!matchMap(provider.apiKey, expectedApiKey)) return {
+				pass: false,
+				message: "apiKey object mismatch: got " + JSON.stringify(provider.apiKey)
+			};
+		} else if (typeof provider.apiKey === "string") {
+			if (!isValidJWT(provider.apiKey)) return {
+				pass: false,
+				message: "apiKey is a string but not a valid/unexpired JWT"
+			};
+		} else return {
+			pass: false,
+			message: "apiKey has unexpected type"
+		};
+		if (expected.api !== void 0) {
+			if (provider.api !== expected.api) return {
+				pass: false,
+				message: "api mismatch: got " + provider.api + ", expected " + expected.api
+			};
+		}
+		const expectedHeaders = getNestedMap(expected, "headers");
+		const expectedXApiKey = expectedHeaders ? expectedHeaders["x-api-key"] : void 0;
+		if (expectedXApiKey && typeof expectedXApiKey === "object") {
+			const xKey = (typeof provider.headers === "object" && provider.headers || {})["x-api-key"];
+			if (typeof xKey === "object" && xKey !== null && !Array.isArray(xKey)) {
+				if (!matchMap(xKey, expectedXApiKey)) return {
+					pass: false,
+					message: "headers.x-api-key object mismatch: got " + JSON.stringify(xKey)
+				};
+			} else if (typeof xKey === "string") {
+				if (xKey !== ctx.vars.innerAPIKey) return {
+					pass: false,
+					message: "headers.x-api-key string value mismatch"
+				};
+			} else return {
+				pass: false,
+				message: "headers.x-api-key has unexpected type"
+			};
+		}
+		return { pass: true };
+	}
+	repair(ctx) {
+		const expected = this.getExpected(ctx.vars);
+		setNestedValue(ctx.config, [
+			"models",
+			"providers",
+			"miaoda",
+			"baseUrl"
+		], expected.baseUrl);
+		if (expected.apiKey !== void 0) setNestedValue(ctx.config, [
+			"models",
+			"providers",
+			"miaoda",
+			"apiKey"
+		], expected.apiKey);
+		if (expected.api !== void 0) setNestedValue(ctx.config, [
+			"models",
+			"providers",
+			"miaoda",
+			"api"
+		], expected.api);
+		if (expected.headers !== void 0) setNestedValue(ctx.config, [
+			"models",
+			"providers",
+			"miaoda",
+			"headers"
+		], expected.headers);
+	}
+	getExpected(vars) {
+		return {
+			baseUrl: _ModelProviderRule.getExpectedBaseUrl(vars),
+			apiKey: _ModelProviderRule.DEFAULT_API_KEY,
+			api: _ModelProviderRule.DEFAULT_API,
+			headers: { "x-api-key": _ModelProviderRule.DEFAULT_X_API_KEY_HEADER }
+		};
+	}
+};
+ModelProviderRule = _ModelProviderRule = __decorate([Rule({
+	key: "model_provider",
+	dependsOn: ["config_syntax_check"],
+	repairMode: "standard",
+	skipWhen: ({ hasMiaoda }) => !hasMiaoda
+})], ModelProviderRule);
+//#endregion
+//#region src/rules/secret-provider.ts
+var _SecretProviderRule;
+let SecretProviderRule = class SecretProviderRule extends DiagnoseRule {
+	static {
+		_SecretProviderRule = this;
+	}
+	static DEFAULT_MIAODA_PROVIDER = {
+		source: "file",
+		path: "/home/gem/workspace/.force/openclaw/miaoda-provider-key",
+		mode: "singleValue"
+	};
+	static DEFAULT_MIAODA_SECRET_PROVIDER = {
+		source: "file",
+		path: "/home/gem/workspace/.force/openclaw/miaoda-openclaw-secrets.json",
+		mode: "json"
+	};
+	validate(ctx) {
+		const providers = getNestedMap(ctx.config, "secrets", "providers");
+		if (!providers) return {
+			pass: false,
+			message: "secrets.providers not found"
+		};
+		const { mp: expectedMP, msp: expectedMSP } = this.getExpected();
+		if (ctx.providerDeps.usesMiaodaProvider) {
+			const mp = providers["miaoda-provider"];
+			if (!mp || typeof mp !== "object" || !matchMap(mp, expectedMP)) return {
+				pass: false,
+				message: "secrets.providers.miaoda-provider mismatch: got " + JSON.stringify(mp)
+			};
+		}
+		if (ctx.providerDeps.usesMiaodaSecretProvider) {
+			const msp = providers["miaoda-secret-provider"];
+			if (!msp || typeof msp !== "object" || !matchMap(msp, expectedMSP)) return {
+				pass: false,
+				message: "secrets.providers.miaoda-secret-provider mismatch: got " + JSON.stringify(msp)
+			};
+		}
+		return { pass: true };
+	}
+	repair(ctx) {
+		const { mp: expectedMP, msp: expectedMSP } = this.getExpected();
+		if (ctx.providerDeps.usesMiaodaProvider) setNestedValue(ctx.config, [
+			"secrets",
+			"providers",
+			"miaoda-provider"
+		], expectedMP);
+		if (ctx.providerDeps.usesMiaodaSecretProvider) setNestedValue(ctx.config, [
+			"secrets",
+			"providers",
+			"miaoda-secret-provider"
+		], expectedMSP);
+	}
+	getExpected() {
+		return {
+			mp: _SecretProviderRule.DEFAULT_MIAODA_PROVIDER,
+			msp: _SecretProviderRule.DEFAULT_MIAODA_SECRET_PROVIDER
+		};
+	}
+};
+SecretProviderRule = _SecretProviderRule = __decorate([Rule({
+	key: "secret_provider",
+	dependsOn: ["config_syntax_check"],
+	repairMode: "standard",
+	skipWhen: ({ hasMiaoda, deps }) => !hasMiaoda || !deps.usesMiaodaProvider && !deps.usesMiaodaSecretProvider
+})], SecretProviderRule);
+//#endregion
+//#region src/rules/feishu-channel.ts
+var _FeishuChannelRule;
+let FeishuChannelRule = class FeishuChannelRule extends DiagnoseRule {
+	static {
+		_FeishuChannelRule = this;
+	}
+	static DEFAULT_APP_SECRET = {
+		source: "file",
+		provider: "miaoda-secret-provider",
+		id: "/channels_feishu_app_secret"
+	};
+	validate(ctx) {
+		const feishu = getNestedMap(ctx.config, "channels", "feishu");
+		if (!feishu) return {
+			pass: false,
+			message: "channels.feishu not found"
+		};
+		if (feishu.enabled !== true) return {
+			pass: false,
+			message: "channels.feishu.enabled mismatch: got " + feishu.enabled + ", expected true"
+		};
+		if (feishu.appId !== ctx.vars.feishuAppID) return {
+			pass: false,
+			message: "channels.feishu.appId mismatch: got " + feishu.appId + ", expected " + ctx.vars.feishuAppID
+		};
+		const expectedSecret = _FeishuChannelRule.DEFAULT_APP_SECRET;
+		const secret = feishu.appSecret;
+		if (typeof secret === "object" && secret !== null && !Array.isArray(secret)) {
+			if (!matchMap(secret, expectedSecret)) return {
+				pass: false,
+				message: "channels.feishu.appSecret object mismatch: got " + JSON.stringify(secret)
+			};
+		} else if (typeof secret === "string") {
+			if (secret !== ctx.vars.feishuAppSecret) return {
+				pass: false,
+				message: "channels.feishu.appSecret string value mismatch"
+			};
+		} else return {
+			pass: false,
+			message: "channels.feishu.appSecret has unexpected type"
+		};
+		return { pass: true };
+	}
+	repair(ctx) {
+		setNestedValue(ctx.config, [
+			"channels",
+			"feishu",
+			"enabled"
+		], true);
+		setNestedValue(ctx.config, [
+			"channels",
+			"feishu",
+			"appId"
+		], ctx.vars.feishuAppID);
+		setNestedValue(ctx.config, [
+			"channels",
+			"feishu",
+			"appSecret"
+		], _FeishuChannelRule.DEFAULT_APP_SECRET);
+	}
+};
+FeishuChannelRule = _FeishuChannelRule = __decorate([Rule({
+	key: "feishu_channel",
+	dependsOn: ["config_syntax_check"],
+	repairMode: "standard"
+})], FeishuChannelRule);
+//#endregion
+//#region src/rules/gateway.ts
+var _GatewayRule;
+let GatewayRule = class GatewayRule extends DiagnoseRule {
+	static {
+		_GatewayRule = this;
+	}
+	static DEFAULT_PORT = 18789;
+	static DEFAULT_AUTH_MODE = "token";
+	static DEFAULT_AUTH_TOKEN = {
+		source: "file",
+		provider: "miaoda-secret-provider",
+		id: "/gateway_auth_token"
+	};
+	validate(ctx) {
+		const gateway = ctx.config.gateway;
+		if (!gateway || typeof gateway !== "object") return {
+			pass: false,
+			message: "gateway not found"
+		};
+		const gw = gateway;
+		if (gw.port !== _GatewayRule.DEFAULT_PORT) return {
+			pass: false,
+			message: "gateway.port mismatch: got " + gw.port + ", expected " + _GatewayRule.DEFAULT_PORT
+		};
+		const auth = gw.auth;
+		if (!auth || typeof auth !== "object") return {
+			pass: false,
+			message: "gateway.auth not found"
+		};
+		const authObj = auth;
+		if (authObj.mode !== _GatewayRule.DEFAULT_AUTH_MODE) return {
+			pass: false,
+			message: "gateway.auth.mode mismatch: got " + authObj.mode + ", expected " + _GatewayRule.DEFAULT_AUTH_MODE
+		};
+		const token = authObj.token;
+		if (typeof token === "string") {
+			if (token !== ctx.vars.gatewayToken) return {
+				pass: false,
+				message: "gateway.auth.token string value mismatch"
+			};
+		} else if (typeof token === "object" && token !== null && !Array.isArray(token)) {
+			if (!matchMap(token, _GatewayRule.DEFAULT_AUTH_TOKEN)) return {
+				pass: false,
+				message: "gateway.auth.token object mismatch: got " + JSON.stringify(token)
+			};
+		} else return {
+			pass: false,
+			message: "gateway.auth.token has unexpected type"
+		};
+		const controlUi = gw.controlUi;
+		if (!controlUi || typeof controlUi !== "object") return {
+			pass: false,
+			message: "gateway.controlUi not found"
+		};
+		if (controlUi.dangerouslyDisableDeviceAuth !== true) return {
+			pass: false,
+			message: "gateway.controlUi.dangerouslyDisableDeviceAuth must be true, got " + controlUi.dangerouslyDisableDeviceAuth
+		};
+		return { pass: true };
+	}
+	repair(ctx) {
+		setNestedValue(ctx.config, ["gateway", "port"], _GatewayRule.DEFAULT_PORT);
+		setNestedValue(ctx.config, [
+			"gateway",
+			"auth",
+			"mode"
+		], _GatewayRule.DEFAULT_AUTH_MODE);
+		setNestedValue(ctx.config, [
+			"gateway",
+			"auth",
+			"token"
+		], _GatewayRule.DEFAULT_AUTH_TOKEN);
+		setNestedValue(ctx.config, [
+			"gateway",
+			"controlUi",
+			"dangerouslyDisableDeviceAuth"
+		], true);
+	}
+};
+GatewayRule = _GatewayRule = __decorate([Rule({
+	key: "gateway",
+	dependsOn: ["config_syntax_check"],
+	repairMode: "standard"
+})], GatewayRule);
+//#endregion
+//#region src/rules/allowed-origins.ts
+let AllowedOriginsRule = class AllowedOriginsRule extends DiagnoseRule {
+	validate(ctx) {
+		const expected = getExpectedOrigins(ctx.vars);
+		if (expected.length === 0) return { pass: true };
+		const missing = findMissing(getCurrentOrigins(ctx.config), expected);
+		if (missing.length === 0) return { pass: true };
+		return {
+			pass: false,
+			message: "allowedOrigins missing: " + JSON.stringify(missing)
+		};
+	}
+	repair(ctx) {
+		const expected = getExpectedOrigins(ctx.vars);
+		const current = getCurrentOrigins(ctx.config);
+		const missing = findMissing(current, expected);
+		if (missing.length > 0) {
+			const seen = /* @__PURE__ */ new Set();
+			const merged = [];
+			for (const o of current) if (!seen.has(o)) {
+				merged.push(o);
+				seen.add(o);
+			}
+			for (const o of missing) if (!seen.has(o)) {
+				merged.push(o);
+				seen.add(o);
+			}
+			setNestedValue(ctx.config, [
+				"gateway",
+				"controlUi",
+				"allowedOrigins"
+			], merged);
+		}
+	}
+};
+AllowedOriginsRule = __decorate([Rule({
+	key: "allowed_origins",
+	dependsOn: ["config_syntax_check"],
+	repairMode: "standard"
+})], AllowedOriginsRule);
+function getExpectedOrigins(vars) {
+	const origins = [];
+	if (vars.miaodaDomain) origins.push(vars.miaodaDomain);
+	if (vars.miaodaOrigin) origins.push(vars.miaodaOrigin);
+	if (Array.isArray(vars.miaodaOrigins)) {
+		for (const o of vars.miaodaOrigins) if (o) origins.push(o);
+	}
+	return [...new Set(origins)];
+}
+function getCurrentOrigins(config) {
+	const controlUi = getNestedMap(config, "gateway", "controlUi");
+	if (!controlUi) return [];
+	const raw = controlUi.allowedOrigins;
+	if (!Array.isArray(raw)) return [];
+	return raw.filter((o) => typeof o === "string");
+}
+function findMissing(current, expected) {
+	const set = new Set(current);
+	return expected.filter((o) => !set.has(o));
+}
+//#endregion
+//#region src/rules/jwt-token.ts
+let JwtTokenRule = class JwtTokenRule extends DiagnoseRule {
+	validate(ctx) {
+		const filePath = ctx.vars.providerFilePath;
+		if (!filePath) return {
+			pass: false,
+			message: "providerFilePath not set"
+		};
+		let token;
+		try {
+			token = readFile(filePath);
+		} catch (e) {
+			return {
+				pass: false,
+				message: "read provider key failed: " + e.message
+			};
+		}
+		if (!token) return {
+			pass: false,
+			message: "provider key file is empty"
+		};
+		const parts = token.split(".");
+		if (parts.length !== 3) return {
+			pass: false,
+			message: "invalid JWT format, got " + parts.length + " parts"
+		};
+		let claims;
+		try {
+			claims = JSON.parse(Buffer.from(parts[1], "base64url").toString("utf-8"));
+		} catch (e) {
+			return {
+				pass: false,
+				message: "decode JWT payload failed: " + e.message
+			};
+		}
+		if (claims.exp === void 0) return {
+			pass: false,
+			message: "JWT has no exp claim"
+		};
+		if (typeof claims.exp !== "number") return {
+			pass: false,
+			message: "JWT exp has unexpected type"
+		};
+		const expMs = claims.exp * 1e3;
+		if (Date.now() >= expMs) return {
+			pass: false,
+			message: "JWT expired at " + new Date(expMs).toISOString()
+		};
+		return {
+			pass: true,
+			message: "JWT valid until " + new Date(expMs).toISOString()
+		};
+	}
+};
+JwtTokenRule = __decorate([Rule({
+	key: "jwt_token",
+	dependsOn: ["config_syntax_check"],
+	repairMode: "standard",
+	skipWhen: ({ hasMiaoda, deps }) => !hasMiaoda || !deps.usesMiaodaProvider
+})], JwtTokenRule);
+//#endregion
+//#region src/rules/secrets-file.ts
+let SecretsRule = class SecretsRule extends DiagnoseRule {
+	validate(ctx) {
+		const filePath = ctx.vars.secretsFilePath;
+		if (!filePath) return {
+			pass: false,
+			message: "secretsFilePath not set"
+		};
+		let content;
+		try {
+			content = readFile(filePath);
+		} catch (e) {
+			return {
+				pass: false,
+				message: "read secrets file failed: " + e.message
+			};
+		}
+		if (!content) return {
+			pass: false,
+			message: "secrets file is empty"
+		};
+		let secrets;
+		try {
+			secrets = JSON.parse(content);
+		} catch (e) {
+			return {
+				pass: false,
+				message: "unmarshal secrets failed: " + e.message
+			};
+		}
+		if (secrets.channels_feishu_app_secret !== ctx.vars.feishuAppSecret) return {
+			pass: false,
+			message: "channels_feishu_app_secret mismatch"
+		};
+		if (secrets.gateway_auth_token !== ctx.vars.gatewayToken) return {
+			pass: false,
+			message: "gateway_auth_token mismatch"
+		};
+		if (secrets.models_providers_miaoda_headers_x_api_key !== ctx.vars.innerAPIKey) return {
+			pass: false,
+			message: "models_providers_miaoda_headers_x_api_key mismatch"
+		};
+		return {
+			pass: true,
+			message: "secrets file content is correct"
+		};
+	}
+};
+SecretsRule = __decorate([Rule({
+	key: "secrets_file",
+	dependsOn: ["config_syntax_check"],
+	repairMode: "standard",
+	skipWhen: ({ hasMiaoda, deps }) => !hasMiaoda || !deps.usesMiaodaSecretProvider
+})], SecretsRule);
+//#endregion
+//#region src/check.ts
+function runCheck(input) {
+	const result = { failedRules: {
+		standard: [],
+		ai: [],
+		reset: []
+	} };
+	const disabledSet = new Set(input.disabledRules || []);
+	const rules = getAllRules();
+	const failedKeys = /* @__PURE__ */ new Set();
+	let configParsed = false;
+	let ctx = {
+		config: { __configPath: input.configPath },
+		vars: input.vars,
+		providerDeps: {
+			usesMiaodaProvider: false,
+			usesMiaodaSecretProvider: false
+		}
+	};
+	for (const rule of rules) {
+		const meta = rule.meta;
+		if (disabledSet.has(meta.key)) continue;
+		if (meta.dependsOn?.some((dep) => failedKeys.has(dep))) continue;
+		if (meta.dependsOn?.includes("config_syntax_check") && !configParsed) try {
+			const parsed = loadJSON5().parse(readFile(input.configPath));
+			const deps = analyzeProviderDeps(parsed);
+			ctx = {
+				config: parsed,
+				vars: input.vars,
+				providerDeps: deps
+			};
+			configParsed = true;
+		} catch {
+			break;
+		}
+		if (meta.skipWhen && configParsed) {
+			const hasMiaoda = shouldCheckMiaodaRules(ctx.config);
+			if (meta.skipWhen({
+				hasMiaoda,
+				deps: ctx.providerDeps
+			})) continue;
+		}
+		const r = rule.validate(ctx);
+		if (!r.pass) {
+			failedKeys.add(meta.key);
+			pushFailedRule(result, meta.repairMode, meta.key, r.message || "");
+		}
+	}
+	return result;
+}
+function pushFailedRule(result, repairMode, key, detail) {
+	switch (repairMode) {
+		case "standard":
+			result.failedRules.standard.push(key);
+			break;
+		case "ai":
+			result.failedRules.ai.push({
+				rule_name: key,
+				detail
+			});
+			break;
+		case "reset":
+			result.failedRules.reset.push({
+				rule_name: key,
+				detail
+			});
+			break;
+	}
+}
+//#endregion
+//#region src/repair.ts
+function runRepair(input) {
+	try {
+		const failedSet = new Set(input.failedRules || []);
+		const repairData = input.repairData || {};
+		const rules = getAllRules();
+		for (const rule of rules) {
+			if (!failedSet.has(rule.meta.key)) continue;
+			if (rule.meta.repairMode !== "standard") continue;
+			if (rule.meta.dependsOn?.includes("config_syntax_check")) continue;
+			rule.repair({
+				config: { __configPath: input.configPath },
+				vars: input.vars,
+				providerDeps: {
+					usesMiaodaProvider: false,
+					usesMiaodaSecretProvider: false
+				}
+			});
+		}
+		const JSON5 = loadJSON5();
+		let config;
+		try {
+			config = JSON5.parse(readFile(input.configPath));
+		} catch (e) {
+			return {
+				success: false,
+				error: "cannot parse config for repair: " + e.message
+			};
+		}
+		const deps = analyzeProviderDeps(config);
+		const ctx = {
+			config,
+			vars: input.vars,
+			providerDeps: deps
+		};
+		let configDirty = false;
+		for (const rule of rules) {
+			if (!failedSet.has(rule.meta.key)) continue;
+			if (rule.meta.repairMode !== "standard") continue;
+			if (!rule.meta.dependsOn?.includes("config_syntax_check")) continue;
+			rule.repair(ctx);
+			configDirty = true;
+		}
+		if (configDirty) writeFile(input.configPath, JSON.stringify(config, null, 2));
+		if (repairData.secretsContent && input.vars.secretsFilePath) writeFile(input.vars.secretsFilePath, repairData.secretsContent);
+		if (repairData.providerKeyContent && input.vars.providerFilePath) writeFile(input.vars.providerFilePath, repairData.providerKeyContent);
+		if (repairData.restartCommand) try {
+			shell(repairData.restartCommand, 3e4);
+		} catch (e) {
+			return {
+				success: false,
+				error: "restart command failed: " + e.message
+			};
+		}
+		return { success: true };
+	} catch (e) {
+		return {
+			success: false,
+			error: "repair failed: " + e.message
+		};
+	}
+}
+//#endregion
+//#region src/index.ts
+const args = node_process.default.argv.slice(2);
+const mode = args.find((a) => !a.startsWith("--"));
+const ctx = args.find((a) => a.startsWith("--ctx="))?.slice(6);
+if (!mode || !["check", "repair"].includes(mode)) {
+	console.error("Usage: mclaw-diagnose <check|repair> --ctx=<base64>");
+	node_process.default.exit(1);
+}
+if (!ctx) {
+	console.error("Error: --ctx=<base64> is required");
+	node_process.default.exit(1);
+}
+const input = JSON.parse(Buffer.from(ctx, "base64").toString("utf-8"));
+if (mode === "check") console.log(JSON.stringify(runCheck(input)));
+else console.log(JSON.stringify(runRepair(input)));
+//#endregion

package/package.json

@@ -0,0 +1,40 @@
+{
+  "name": "@lark-apaas/openclaw-scripts-diagnose-cli",
+  "version": "0.1.1-alpha.0",
+  "description": "CLI for OpenClaw config diagnose and repair with JSON5 support",
+  "main": "dist/index.cjs",
+  "bin": {
+    "mclaw-diagnose": "./dist/index.cjs"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsdown",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:integration": "vitest run --config vitest.integration.config.ts",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "openclaw",
+    "diagnose",
+    "cli"
+  ],
+  "license": "MIT",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "json5": "^2.2.3"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "tsdown": "^0.21.0",
+    "typescript": "^5.9.2",
+    "vitest": "^3.2.4"
+  }
+}