npm - @lark-apaas/openclaw-scripts-diagnose-cli - Versions diffs - 0.1.1-alpha.3 → 0.1.1-alpha.31 - Mend

@lark-apaas/openclaw-scripts-diagnose-cli 0.1.1-alpha.3 → 0.1.1-alpha.31

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md +7 -1
package/dist/index.cjs +2065 -248
package/package.json +6 -2
package/template/openclaw.json +539 -0
package/template/scripts/restart.sh +37 -0
package/template/scripts/start.sh +6 -0
package/template/scripts/stop.sh +2 -0

package/dist/index.cjs CHANGED Viewed

@@ -31,6 +31,14 @@ let node_path = require("node:path");
 node_path = __toESM(node_path);
 let node_child_process = require("node:child_process");
 let node_crypto = require("node:crypto");
+node_crypto = __toESM(node_crypto);
+let node_os = require("node:os");
+node_os = __toESM(node_os);
+let node_stream = require("node:stream");
+let node_stream_promises = require("node:stream/promises");
+let node_assert = require("node:assert");
+node_assert = __toESM(node_assert);
+let _lark_apaas_http_client = require("@lark-apaas/http-client");
 //#region src/rule-engine/base.ts
 /** Abstract base class for all diagnose rules */
 var DiagnoseRule = class {
@@ -81,6 +89,17 @@ function topoSort(rules) {
 //#endregion
 //#region src/utils.ts
 /**
+* Canonical provider-ref for the feishu app secret. Both
+* `feishu_default_account` (multi-agent path) and `feishu_channel`
+* (single-agent path) use this as the source-of-truth `appSecret`
+* value when repairing.
+*/
+const DEFAULT_FEISHU_APP_SECRET = {
+	source: "file",
+	provider: "miaoda-secret-provider",
+	id: "/channels_feishu_app_secret"
+};
+/**
 * Navigate nested object by keys, returning the value if it's a non-array object,
 * or undefined otherwise.
 */
@@ -127,6 +146,14 @@ function isValidJWT(token) {
 		return false;
 	}
 }
+/**
+* Return `val` as a plain-object record (non-null, non-array object), or
+* `undefined` otherwise. Cheaper than `getNestedMap` when the value is already
+* at hand.
+*/
+function asRecord(val) {
+	return val != null && typeof val === "object" && !Array.isArray(val) ? val : void 0;
+}
 /** Set a deeply nested value, creating intermediate objects as needed. */
 function setNestedValue(obj, keys, value) {
 	let current = obj;
@@ -137,6 +164,25 @@ function setNestedValue(obj, keys, value) {
 	}
 	current[keys[keys.length - 1]] = value;
 }
+/**
+* Locate the "main" agent in `agents.list`. Preference order:
+*   1. Explicit `default: true` entry.
+*   2. Entry with `id === 'main'` (project naming convention).
+*   3. First entry in the list (positional fallback).
+* Returns `undefined` when `agents.list` is missing or empty.
+*/
+function findMainAgent(config) {
+	const agents = getNestedMap(config, "agents");
+	if (!agents) return void 0;
+	const list = agents.list;
+	if (!Array.isArray(list) || list.length === 0) return void 0;
+	const isObj = (a) => a != null && typeof a === "object" && !Array.isArray(a);
+	const explicit = list.find((a) => isObj(a) && a.default === true);
+	if (explicit) return explicit;
+	const namedMain = list.find((a) => isObj(a) && a.id === "main");
+	if (namedMain) return namedMain;
+	return isObj(list[0]) ? list[0] : void 0;
+}
 /** Analyze which miaoda providers the config references. */
 function analyzeProviderDeps(config) {
 	const deps = {
@@ -192,14 +238,14 @@ function fileExists(filePath) {
 	return node_fs.default.existsSync(filePath);
 }
 /** Execute a shell command, return stdout. Throws on failure. */
-function shell(cmd, timeoutMs = 1e4) {
+function shell(cmd, timeoutMs = 6e4) {
 	return (0, node_child_process.execSync)(cmd, {
 		encoding: "utf-8",
 		timeout: timeoutMs
 	}).trim();
 }
 //#endregion
-//#region \0@oxc-project+runtime@0.121.0/helpers/decorate.js
+//#region \0@oxc-project+runtime@0.115.0/helpers/decorate.js
 function __decorate(decorators, target, key, desc) {
 	var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
 	if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
@@ -245,11 +291,15 @@ function findBackupFiles(configPath) {
 }
 /**
 * Among backup files, find the one with the highest numeric suffix.
-* `.bak` (no number) is treated as 0, `.bak1` as 1, `.bak2` as 2, etc.
+* Supports all three naming styles used by the current backup code and its
+* older variants:
+*   `.bak`      → n = 0  (legacy single-slot backup)
+*   `.bakN`     → n = N  (older style, dot-less)
+*   `.bak.N`    → n = N  (current style written by reset Step 1)
 */
 function findHighestBackup(backupFiles) {
 	if (backupFiles.length === 0) return null;
-	const bakRegex = /\.bak(\d*)$/;
+	const bakRegex = /\.bak\.?(\d*)$/;
 	let best = null;
 	for (const f of backupFiles) {
 		const match = bakRegex.exec(f);
@@ -264,7 +314,7 @@ function findHighestBackup(backupFiles) {
 }
 let ConfigFileBackupRule = class ConfigFileBackupRule extends DiagnoseRule {
 	validate(ctx) {
-		const configPath = ctx.config.__configPath;
+		const { configPath } = ctx;
 		if (!configPath) return {
 			pass: false,
 			message: "configPath not provided"
@@ -277,7 +327,7 @@ let ConfigFileBackupRule = class ConfigFileBackupRule extends DiagnoseRule {
 		return { pass: true };
 	}
 	repair(ctx) {
-		const configPath = ctx.config.__configPath;
+		const { configPath } = ctx;
 		if (!configPath) return;
 		const best = findHighestBackup(findBackupFiles(configPath));
 		if (!best) return;
@@ -306,7 +356,7 @@ function hasBackupFiles(configPath) {
 }
 let ConfigFileMissingRule = class ConfigFileMissingRule extends DiagnoseRule {
 	validate(ctx) {
-		const configPath = ctx.config.__configPath;
+		const { configPath } = ctx;
 		if (!configPath) return {
 			pass: false,
 			message: "configPath not provided"
@@ -328,7 +378,7 @@ ConfigFileMissingRule = __decorate([Rule({
 //#region src/rules/config-syntax.ts
 let ConfigSyntaxRule = class ConfigSyntaxRule extends DiagnoseRule {
 	validate(ctx) {
-		const configPath = ctx.config.__configPath;
+		const { configPath } = ctx;
 		if (!fileExists(configPath)) return { pass: true };
 		try {
 			loadJSON5().parse(readFile(configPath));
@@ -347,6 +397,74 @@ ConfigSyntaxRule = __decorate([Rule({
 	repairMode: "ai"
 })], ConfigSyntaxRule);
 //#endregion
+//#region src/rules/template-vars-unreplaced.ts
+/**
+* Placeholder format used by miaoda-openclaw-template and Go-side templateVars,
+* e.g. `$$__FEISHU_APP_ID__`. Double underscores on both sides act as a natural
+* boundary so split-join replacement can't accidentally overlap between keys.
+*/
+const PLACEHOLDER_RE = /\$\$__[A-Z0-9_]+__/g;
+let TemplateVarsUnreplacedRule = class TemplateVarsUnreplacedRule extends DiagnoseRule {
+	validate(ctx) {
+		const found = /* @__PURE__ */ new Set();
+		collectPlaceholders(ctx.config, found);
+		if (found.size === 0) return { pass: true };
+		return {
+			pass: false,
+			message: "存在未替换的模板占位符: " + [...found].sort().join(", ")
+		};
+	}
+	repair(ctx) {
+		const map = ctx.templateVars;
+		if (!map || Object.keys(map).length === 0) return;
+		replaceInPlace(ctx.config, Object.entries(map));
+	}
+};
+TemplateVarsUnreplacedRule = __decorate([Rule({
+	key: "template_vars_unreplaced",
+	dependsOn: ["config_syntax_check"],
+	repairMode: "standard"
+})], TemplateVarsUnreplacedRule);
+function collectPlaceholders(value, found) {
+	if (typeof value === "string") {
+		const matches = value.match(PLACEHOLDER_RE);
+		if (matches) for (const m of matches) found.add(m);
+		return;
+	}
+	if (Array.isArray(value)) {
+		for (const v of value) collectPlaceholders(v, found);
+		return;
+	}
+	if (value && typeof value === "object") for (const v of Object.values(value)) collectPlaceholders(v, found);
+}
+function replaceInPlace(value, entries) {
+	if (Array.isArray(value)) {
+		for (let i = 0; i < value.length; i++) {
+			const el = value[i];
+			if (typeof el === "string") value[i] = applyVars(el, entries);
+			else replaceInPlace(el, entries);
+		}
+		return;
+	}
+	if (value && typeof value === "object") {
+		const obj = value;
+		for (const key of Object.keys(obj)) {
+			const v = obj[key];
+			if (typeof v === "string") obj[key] = applyVars(v, entries);
+			else replaceInPlace(v, entries);
+		}
+	}
+}
+/** Split-join replacement — matches the algorithm in reset.ts:120 and avoids regex-escaping `$$`. */
+function applyVars(str, entries) {
+	let out = str;
+	for (const [placeholder, value] of entries) {
+		if (!value) continue;
+		if (out.includes(placeholder)) out = out.split(placeholder).join(value);
+	}
+	return out;
+}
+//#endregion
 //#region src/rules/model-provider.ts
 var _ModelProviderRule;
 let ModelProviderRule = class ModelProviderRule extends DiagnoseRule {
@@ -530,16 +648,11 @@ SecretProviderRule = _SecretProviderRule = __decorate([Rule({
 })], SecretProviderRule);
 //#endregion
 //#region src/rules/feishu-channel.ts
-var _FeishuChannelRule;
+/**
+* Owns `channels.feishu.enabled` + single-agent top-level appId/appSecret.
+* Multi-agent shape (`accounts` present) belongs to `feishu_default_account`.
+*/
 let FeishuChannelRule = class FeishuChannelRule extends DiagnoseRule {
-	static {
-		_FeishuChannelRule = this;
-	}
-	static DEFAULT_APP_SECRET = {
-		source: "file",
-		provider: "miaoda-secret-provider",
-		id: "/channels_feishu_app_secret"
-	};
 	validate(ctx) {
 		const feishu = getNestedMap(ctx.config, "channels", "feishu");
 		if (!feishu) return {
@@ -550,16 +663,16 @@ let FeishuChannelRule = class FeishuChannelRule extends DiagnoseRule {
 			pass: false,
 			message: "channels.feishu.enabled mismatch: got " + feishu.enabled + ", expected true"
 		};
+		if (asRecord(feishu.accounts)) return { pass: true };
 		if (feishu.appId !== ctx.vars.feishuAppID) return {
 			pass: false,
-			message: "channels.feishu.appId mismatch: got " + feishu.appId + ", expected " + ctx.vars.feishuAppID
+			message: `channels.feishu.appId mismatch: got ${feishu.appId}, expected ${ctx.vars.feishuAppID}`
 		};
-		const expectedSecret = _FeishuChannelRule.DEFAULT_APP_SECRET;
 		const secret = feishu.appSecret;
 		if (typeof secret === "object" && secret !== null && !Array.isArray(secret)) {
-			if (!matchMap(secret, expectedSecret)) return {
+			if (!matchMap(secret, DEFAULT_FEISHU_APP_SECRET)) return {
 				pass: false,
-				message: "channels.feishu.appSecret object mismatch: got " + JSON.stringify(secret)
+				message: `channels.feishu.appSecret object mismatch: got ${JSON.stringify(secret)}`
 			};
 		} else if (typeof secret === "string") {
 			if (secret !== ctx.vars.feishuAppSecret) return {
@@ -578,6 +691,7 @@ let FeishuChannelRule = class FeishuChannelRule extends DiagnoseRule {
 			"feishu",
 			"enabled"
 		], true);
+		if (asRecord(getNestedMap(ctx.config, "channels", "feishu").accounts)) return;
 		setNestedValue(ctx.config, [
 			"channels",
 			"feishu",
@@ -587,15 +701,167 @@ let FeishuChannelRule = class FeishuChannelRule extends DiagnoseRule {
 			"channels",
 			"feishu",
 			"appSecret"
-		], _FeishuChannelRule.DEFAULT_APP_SECRET);
+		], DEFAULT_FEISHU_APP_SECRET);
 	}
 };
-FeishuChannelRule = _FeishuChannelRule = __decorate([Rule({
+FeishuChannelRule = __decorate([Rule({
 	key: "feishu_channel",
-	dependsOn: ["config_syntax_check"],
+	dependsOn: ["config_syntax_check", "feishu_default_account"],
 	repairMode: "standard"
 })], FeishuChannelRule);
 //#endregion
+//#region src/rules/feishu-default-account.ts
+/**
+* Owner of the multi-agent feishu channel shape: migrates legacy v1/v2
+* (top-level appId + defaultAccount/default) into v3 (`bot-<appId>` account),
+* detects + fixes drift on the main bot's appId/appSecret. Single-agent
+* configs (no `accounts`) are out of scope — handled by `feishu_channel`.
+*/
+let FeishuDefaultAccountRule = class FeishuDefaultAccountRule extends DiagnoseRule {
+	validate(ctx) {
+		const feishu = getNestedMap(ctx.config, "channels", "feishu");
+		if (!feishu) return { pass: true };
+		const accounts = asRecord(feishu.accounts);
+		if (!accounts) return { pass: true };
+		const topAppId = feishu.appId;
+		if (typeof topAppId === "string" && topAppId !== "") return {
+			pass: false,
+			message: "channels.feishu has legacy shape; needs migration to accounts.bot-<appId>"
+		};
+		const mainBot = findMainBotAccount(ctx.config, accounts);
+		if (mainBot) {
+			const expectedAppId = ctx.vars?.feishuAppID;
+			if (typeof expectedAppId === "string" && expectedAppId !== "" && mainBot.acc.appId !== expectedAppId) return {
+				pass: false,
+				message: `accounts.${mainBot.accountId}.appId mismatch: got ${mainBot.acc.appId}, expected ${expectedAppId}`
+			};
+			if (!secretMatchesCanonical(mainBot.acc.appSecret)) return {
+				pass: false,
+				message: `accounts.${mainBot.accountId}.appSecret drift`
+			};
+		}
+		return { pass: true };
+	}
+	repair(ctx) {
+		const feishu = getNestedMap(ctx.config, "channels", "feishu");
+		if (!feishu) return;
+		const accounts = asRecord(feishu.accounts);
+		if (!accounts) return;
+		const topAppId = feishu.appId;
+		if (typeof topAppId === "string" && topAppId !== "") {
+			this.migrate(ctx, feishu, accounts, topAppId);
+			return;
+		}
+		this.enforceMainBotValues(ctx, accounts);
+	}
+	migrate(ctx, feishu, accounts, topAppId) {
+		const effectiveAppId = nonEmpty(ctx.vars?.feishuAppID) ?? topAppId;
+		const expectedKey = `bot-${effectiveAppId}`;
+		const existingBot = asRecord(accounts[expectedKey]) ?? {};
+		const defaultAccount = asRecord(accounts.defaultAccount) ?? {};
+		const defaultAcc = asRecord(accounts.default) ?? {};
+		const merged = {
+			...existingBot,
+			...defaultAccount,
+			...defaultAcc,
+			appId: effectiveAppId,
+			appSecret: DEFAULT_FEISHU_APP_SECRET
+		};
+		const chatID = ctx.vars?.teamChatID;
+		if (typeof chatID === "string" && chatID !== "") {
+			const existingGroups = asRecord(merged.groups) ?? {};
+			if (!(chatID in existingGroups)) merged.groups = {
+				...existingGroups,
+				[chatID]: { requireMention: false }
+			};
+		}
+		accounts[expectedKey] = merged;
+		delete accounts.defaultAccount;
+		delete accounts.default;
+		delete feishu.appId;
+		delete feishu.appSecret;
+		this.rewireBindings(ctx.config, expectedKey);
+	}
+	enforceMainBotValues(ctx, accounts) {
+		const mainBot = findMainBotAccount(ctx.config, accounts);
+		if (!mainBot) return;
+		const acc = accounts[mainBot.accountId];
+		const expectedAppId = nonEmpty(ctx.vars?.feishuAppID);
+		if (expectedAppId !== void 0 && acc.appId !== expectedAppId) acc.appId = expectedAppId;
+		if (!secretMatchesCanonical(acc.appSecret)) acc.appSecret = DEFAULT_FEISHU_APP_SECRET;
+	}
+	rewireBindings(config, expectedKey) {
+		if (!Array.isArray(config.bindings)) return;
+		const bindings = config.bindings;
+		for (const b of bindings) {
+			const match = asRecord(asRecord(b)?.match);
+			if (match && match.channel === "feishu" && (match.accountId === "defaultAccount" || match.accountId === "default")) match.accountId = expectedKey;
+		}
+		const seen = /* @__PURE__ */ new Set();
+		const deduped = [];
+		for (const b of bindings) {
+			const rec = asRecord(b);
+			if (!rec) continue;
+			const match = asRecord(rec.match);
+			const key = JSON.stringify([
+				rec.agentId,
+				match?.channel,
+				match?.accountId
+			]);
+			if (seen.has(key)) continue;
+			seen.add(key);
+			deduped.push(rec);
+		}
+		const mainId = findMainAgent(config)?.id;
+		if (typeof mainId === "string" && mainId !== "") {
+			if (!deduped.some((b) => {
+				const m = asRecord(b.match);
+				return b.agentId === mainId && m?.channel === "feishu" && m?.accountId === expectedKey;
+			})) deduped.push({
+				type: "route",
+				agentId: mainId,
+				match: {
+					channel: "feishu",
+					accountId: expectedKey
+				}
+			});
+		}
+		config.bindings = deduped;
+	}
+};
+FeishuDefaultAccountRule = __decorate([Rule({
+	key: "feishu_default_account",
+	dependsOn: ["config_syntax_check"],
+	repairMode: "standard"
+})], FeishuDefaultAccountRule);
+function nonEmpty(v) {
+	return typeof v === "string" && v !== "" ? v : void 0;
+}
+function findMainBotAccount(config, accounts) {
+	const mainId = findMainAgent(config)?.id;
+	if (typeof mainId !== "string" || mainId === "") return void 0;
+	const bindings = Array.isArray(config.bindings) ? config.bindings : [];
+	for (const b of bindings) {
+		const rec = asRecord(b);
+		const match = asRecord(rec?.match);
+		if (rec && match && rec.agentId === mainId && match.channel === "feishu") {
+			const accountId = match.accountId;
+			if (typeof accountId === "string") {
+				const acc = asRecord(accounts[accountId]);
+				if (acc) return {
+					accountId,
+					acc
+				};
+			}
+		}
+	}
+}
+/** Bot accounts must carry the canonical provider-ref `appSecret`. */
+function secretMatchesCanonical(secret) {
+	if (typeof secret !== "object" || secret === null || Array.isArray(secret)) return false;
+	return matchMap(secret, DEFAULT_FEISHU_APP_SECRET);
+}
+//#endregion
 //#region src/rules/gateway.ts
 var _GatewayRule;
 let GatewayRule = class GatewayRule extends DiagnoseRule {
@@ -686,7 +952,9 @@ let AllowedOriginsRule = class AllowedOriginsRule extends DiagnoseRule {
 	validate(ctx) {
 		const expected = getExpectedOrigins(ctx.vars);
 		if (expected.length === 0) return { pass: true };
-		const missing = findMissing(getCurrentOrigins(ctx.config), expected);
+		const current = getCurrentOrigins(ctx.config);
+		if (hasWildcard(current)) return { pass: true };
+		const missing = findMissing(current, expected);
 		if (missing.length === 0) return { pass: true };
 		return {
 			pass: false,
@@ -696,6 +964,7 @@ let AllowedOriginsRule = class AllowedOriginsRule extends DiagnoseRule {
 	repair(ctx) {
 		const expected = getExpectedOrigins(ctx.vars);
 		const current = getCurrentOrigins(ctx.config);
+		if (hasWildcard(current)) return;
 		const missing = findMissing(current, expected);
 		if (missing.length > 0) {
 			const seen = /* @__PURE__ */ new Set();
@@ -735,6 +1004,10 @@ function findMissing(current, expected) {
 	const set = new Set(current);
 	return expected.filter((o) => !set.has(o));
 }
+/** Exact "*" entry means allow-all; pattern globs like "https://*.example.com" don't count. */
+function hasWildcard(origins) {
+	return origins.includes("*");
+}
 //#endregion
 //#region src/rules/jwt-token.ts
 let JwtTokenRule = class JwtTokenRule extends DiagnoseRule {
@@ -852,6 +1125,217 @@ SecretsRule = __decorate([Rule({
 	skipWhen: ({ hasMiaoda, deps }) => !hasMiaoda || !deps.usesMiaodaSecretProvider
 })], SecretsRule);
 //#endregion
+//#region src/rules/cleanup-install-backup-dirs.ts
+const DIR_PREFIX = ".openclaw-install-";
+function resolveExtensionsDir(configPath) {
+	return node_path.default.join(node_path.default.dirname(configPath), "extensions");
+}
+function findLeftoverDirs(extensionsDir) {
+	if (!fileExists(extensionsDir)) return [];
+	let entries;
+	try {
+		entries = node_fs.default.readdirSync(extensionsDir, { withFileTypes: true });
+	} catch {
+		return [];
+	}
+	return entries.filter((e) => e.isDirectory() && e.name.startsWith(DIR_PREFIX)).map((e) => node_path.default.join(extensionsDir, e.name));
+}
+let CleanupInstallBackupDirsRule = class CleanupInstallBackupDirsRule extends DiagnoseRule {
+	validate(ctx) {
+		const { configPath } = ctx;
+		if (!configPath) return { pass: true };
+		const dirs = findLeftoverDirs(resolveExtensionsDir(configPath));
+		if (dirs.length === 0) return { pass: true };
+		return {
+			pass: false,
+			message: `extensions 目录下发现 ${dirs.length} 个 ${DIR_PREFIX}* 脏目录需要清理`
+		};
+	}
+	repair(ctx) {
+		const { configPath } = ctx;
+		if (!configPath) return;
+		const dirs = findLeftoverDirs(resolveExtensionsDir(configPath));
+		const failures = [];
+		for (const dir of dirs) try {
+			node_fs.default.rmSync(dir, {
+				recursive: true,
+				force: true
+			});
+		} catch (e) {
+			failures.push(`${node_path.default.basename(dir)}: ${e.message}`);
+		}
+		if (dirs.length > 0 && failures.length === dirs.length) throw new Error(`cleanup_install_backup_dirs: 全部清理失败: ${failures.join("; ")}`);
+	}
+};
+CleanupInstallBackupDirsRule = __decorate([Rule({
+	key: "cleanup_install_backup_dirs",
+	repairMode: "standard"
+})], CleanupInstallBackupDirsRule);
+//#endregion
+//#region src/rules/miaoda-official-plugins-install-spec-unlock.ts
+/**
+* Official miaoda-side plugins that must track manifest — version-locked specs
+* here block upgrades. Third-party / user-installed plugins are intentionally
+* out of scope (users may pin them deliberately).
+*/
+const OFFICIAL_PLUGIN_NAMES = new Set([
+	"openclaw-extension-miaoda",
+	"openclaw-extension-miaoda-coding",
+	"openclaw-guardian-plugin",
+	"openclaw-mem0-plugin",
+	"openclaw-lark"
+]);
+const LOCKED_NPM_SPEC = /^(@[a-z0-9][\w.-]*\/)?[a-z0-9][\w.-]*@[^@/:#\s]+$/i;
+function isLockedNpmSpec(spec) {
+	return typeof spec === "string" && LOCKED_NPM_SPEC.test(spec);
+}
+function unlockSpec(spec) {
+	const slash = spec.indexOf("/");
+	const cut = slash === -1 ? spec.indexOf("@") : spec.indexOf("@", slash + 1);
+	return spec.slice(0, cut);
+}
+/** Yield `[key, lockedSpec]` for every official-plugin install whose `spec` is locked. */
+function* iterLockedOfficialInstalls(config) {
+	const installs = getNestedMap(config, "plugins", "installs");
+	if (!installs) return;
+	for (const [key, entry] of Object.entries(installs)) {
+		if (!OFFICIAL_PLUGIN_NAMES.has(key)) continue;
+		const spec = asRecord(entry)?.spec;
+		if (isLockedNpmSpec(spec)) yield [key, spec];
+	}
+}
+let MiaodaOfficialPluginsInstallSpecUnlockRule = class MiaodaOfficialPluginsInstallSpecUnlockRule extends DiagnoseRule {
+	validate(ctx) {
+		const locked = [...iterLockedOfficialInstalls(ctx.config)].map(([k]) => k);
+		if (locked.length === 0) return { pass: true };
+		return {
+			pass: false,
+			message: "plugins.installs 中官方插件存在锁版本的 spec: " + locked.sort().join(",")
+		};
+	}
+	repair(ctx) {
+		for (const [key, spec] of iterLockedOfficialInstalls(ctx.config)) setNestedValue(ctx.config, [
+			"plugins",
+			"installs",
+			key,
+			"spec"
+		], unlockSpec(spec));
+	}
+};
+MiaodaOfficialPluginsInstallSpecUnlockRule = __decorate([Rule({
+	key: "miaoda_official_plugins_install_spec_unlock",
+	dependsOn: ["config_syntax_check"],
+	repairMode: "standard"
+})], MiaodaOfficialPluginsInstallSpecUnlockRule);
+//#endregion
+//#region src/rules/old-miaoda-plugins-cleanup.ts
+const NEW_MIAODA = "openclaw-extension-miaoda";
+const OLD_PLUGIN_NAMES = Object.freeze([
+	"openclaw-feishu-greeting",
+	"openclaw-miaoda-keepalive",
+	"feishu-greeting",
+	"miaoda-keepalive"
+]);
+function getPluginMaps(config) {
+	const rawAllow = asRecord(config.plugins)?.allow;
+	return {
+		entries: getNestedMap(config, "plugins", "entries"),
+		installs: getNestedMap(config, "plugins", "installs"),
+		allow: Array.isArray(rawAllow) ? rawAllow : void 0
+	};
+}
+function getExtensionsDir(configPath) {
+	return node_path.default.join(node_path.default.dirname(configPath), "extensions");
+}
+function hasNewMiaoda({ entries, installs, allow }) {
+	return asRecord(entries?.[NEW_MIAODA]) != null || asRecord(installs?.[NEW_MIAODA]) != null || (allow?.includes(NEW_MIAODA) ?? false);
+}
+function findResiduals({ entries, installs, allow }, extensionsDir) {
+	return OLD_PLUGIN_NAMES.filter((name) => entries?.[name] != null || installs?.[name] != null || (allow?.includes(name) ?? false) || node_fs.default.existsSync(node_path.default.join(extensionsDir, name)));
+}
+let OldMiaodaPluginsCleanupRule = class OldMiaodaPluginsCleanupRule extends DiagnoseRule {
+	validate(ctx) {
+		const maps = getPluginMaps(ctx.config);
+		if (!hasNewMiaoda(maps)) return { pass: true };
+		const residuals = findResiduals(maps, getExtensionsDir(ctx.configPath));
+		if (residuals.length === 0) return { pass: true };
+		return {
+			pass: false,
+			message: "旧 miaoda 插件残留: " + residuals.sort().join(",")
+		};
+	}
+	repair(ctx) {
+		const maps = getPluginMaps(ctx.config);
+		if (!hasNewMiaoda(maps)) return;
+		const extensionsDir = getExtensionsDir(ctx.configPath);
+		const { entries, installs, allow } = maps;
+		const oldSet = new Set(OLD_PLUGIN_NAMES);
+		if (allow) for (let i = allow.length - 1; i >= 0; i--) {
+			const v = allow[i];
+			if (typeof v === "string" && oldSet.has(v)) allow.splice(i, 1);
+		}
+		for (const name of OLD_PLUGIN_NAMES) {
+			if (entries && name in entries) delete entries[name];
+			if (installs && name in installs) delete installs[name];
+			const target = node_path.default.join(extensionsDir, name);
+			const rel = node_path.default.relative(extensionsDir, target);
+			if (!rel || rel.startsWith("..") || node_path.default.isAbsolute(rel)) continue;
+			try {
+				node_fs.default.rmSync(target, {
+					recursive: true,
+					force: true
+				});
+			} catch (e) {
+				console.error(`[old_miaoda_plugins_cleanup] rmSync ${target} failed: ${e.message}`);
+			}
+		}
+	}
+};
+OldMiaodaPluginsCleanupRule = __decorate([Rule({
+	key: "old_miaoda_plugins_cleanup",
+	dependsOn: ["config_syntax_check"],
+	repairMode: "standard"
+})], OldMiaodaPluginsCleanupRule);
+//#endregion
+//#region src/rules/lark-plugin-allow.ts
+const LARK_PLUGIN = "openclaw-lark";
+const LARK_PLUGIN_NAMES = [LARK_PLUGIN, "feishu-openclaw-plugin"];
+let LarkPluginAllowRule = class LarkPluginAllowRule extends DiagnoseRule {
+	validate(ctx) {
+		const allow = getAllow(ctx.config);
+		if (LARK_PLUGIN_NAMES.some((name) => allow.includes(name))) return { pass: true };
+		return {
+			pass: false,
+			message: `plugins.allow 缺少飞书插件 (expected one of: ${LARK_PLUGIN_NAMES.join(", ")})`
+		};
+	}
+	repair(ctx) {
+		if (ctx.config.plugins == null || typeof ctx.config.plugins !== "object" || Array.isArray(ctx.config.plugins)) {
+			ctx.config.plugins = { allow: [LARK_PLUGIN] };
+			return;
+		}
+		const pluginsMap = ctx.config.plugins;
+		const rawAllow = pluginsMap.allow;
+		const original = Array.isArray(rawAllow) ? rawAllow : [];
+		const stringAllow = original.filter((e) => typeof e === "string");
+		if (LARK_PLUGIN_NAMES.some((name) => stringAllow.includes(name))) return;
+		original.push(LARK_PLUGIN);
+		pluginsMap.allow = original;
+	}
+};
+LarkPluginAllowRule = __decorate([Rule({
+	key: "lark_plugin_allow",
+	dependsOn: ["config_syntax_check"],
+	repairMode: "standard"
+})], LarkPluginAllowRule);
+function getAllow(config) {
+	const plugins = config.plugins;
+	if (plugins == null || typeof plugins !== "object" || Array.isArray(plugins)) return [];
+	const allow = plugins.allow;
+	if (!Array.isArray(allow)) return [];
+	return allow.filter((e) => typeof e === "string");
+}
+//#endregion
 //#region src/check.ts
 function runCheck(input) {
 	const result = { failedRules: {
@@ -864,12 +1348,14 @@ function runCheck(input) {
 	const failedKeys = /* @__PURE__ */ new Set();
 	let configParsed = false;
 	let ctx = {
-		config: { __configPath: input.configPath },
+		config: {},
+		configPath: input.configPath,
 		vars: input.vars,
 		providerDeps: {
 			usesMiaodaProvider: false,
 			usesMiaodaSecretProvider: false
-		}
+		},
+		templateVars: input.templateVars
 	};
 	for (const rule of rules) {
 		const meta = rule.meta;
@@ -880,8 +1366,10 @@ function runCheck(input) {
 			const deps = analyzeProviderDeps(parsed);
 			ctx = {
 				config: parsed,
+				configPath: input.configPath,
 				vars: input.vars,
-				providerDeps: deps
+				providerDeps: deps,
+				templateVars: input.templateVars
 			};
 			configParsed = true;
 		} catch {
@@ -933,12 +1421,14 @@ function runRepair(input) {
 			if (rule.meta.repairMode !== "standard") continue;
 			if (rule.meta.dependsOn?.includes("config_syntax_check")) continue;
 			rule.repair({
-				config: { __configPath: input.configPath },
+				config: {},
+				configPath: input.configPath,
 				vars: input.vars,
 				providerDeps: {
 					usesMiaodaProvider: false,
 					usesMiaodaSecretProvider: false
-				}
+				},
+				templateVars: input.templateVars
 			});
 		}
 		const JSON5 = loadJSON5();
@@ -954,8 +1444,10 @@ function runRepair(input) {
 		const deps = analyzeProviderDeps(config);
 		const ctx = {
 			config,
+			configPath: input.configPath,
 			vars: input.vars,
-			providerDeps: deps
+			providerDeps: deps,
+			templateVars: input.templateVars
 		};
 		let configDirty = false;
 		for (const rule of rules) {
@@ -985,44 +1477,223 @@ function runRepair(input) {
 	}
 }
 //#endregion
-//#region src/backup.ts
-const BACKUP_PATH = "/home/gem/workspace/.force/openclaw/core-backup.json";
-function runBackup(input) {
+//#region src/paths.ts
+/**
+* Central directory for all ephemeral diagnose/reset artifacts: task status
+* files (`reset-<taskId>.json`) and human-readable step logs
+* (`reset-<taskId>.log`). Having everything under one dir makes debugging a
+* stuck reset much easier — `ls /tmp/openclaw-diagnose/` shows every recent
+* run, and each run's log is right next to its state.
+*/
+const DIAGNOSE_DIR = "/tmp/openclaw-diagnose";
+function resetResultFile(taskId) {
+	return `${DIAGNOSE_DIR}/reset-${taskId}.json`;
+}
+function resetLogFile(taskId) {
+	return `${DIAGNOSE_DIR}/reset-${taskId}.log`;
+}
+/** Sandbox workspace root where openclaw config + agent state lives. */
+const WORKSPACE_DIR = "/home/gem/workspace/agent";
+/** File containing the provider key used by the openclaw miaoda provider. */
+const PROVIDER_FILE_PATH = "/home/gem/workspace/.force/openclaw/miaoda-provider-key";
+/** File containing the miaoda openclaw secrets JSON. */
+const SECRETS_FILE_PATH = "/home/gem/workspace/.force/openclaw/miaoda-openclaw-secrets.json";
+/** Absolute path to the openclaw config JSON. */
+const CONFIG_PATH = `${WORKSPACE_DIR}/openclaw.json`;
+//#endregion
+//#region src/logger.ts
+/**
+* Shared CLI log file. Every log line the CLI emits — whether through
+* `console.error` (rules, helpers, errors) or through the per-task
+* `makeLogger` (reset worker) — is tee'd here so operators have a single
+* file to tail when diagnosing a sandbox.
+*
+* `/tmp` is ephemeral on sandbox restart; we rely on that for rotation
+* (no size-based rotation implemented).
+*/
+const CLI_LOG_FILE = "/tmp/openclaw-diagnose/cli.log";
+/** Append one line to the shared cli.log. Swallows any fs error —
+*  logging must never break the business flow. */
+function appendCliLog(line) {
+	try {
+		const dir = node_path.default.dirname(CLI_LOG_FILE);
+		if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
+		node_fs.default.appendFileSync(CLI_LOG_FILE, line);
+	} catch {}
+}
+let stderrMirrorInstalled = false;
+/**
+* Install a process-wide `console.error` interceptor that mirrors each
+* line to BOTH the original stderr AND cli.log. Call once at CLI entry
+* before any subcommand dispatch; idempotent.
+*
+* Why console.error and not console.log: the CLI's stdout carries the
+* structured JSON result protocol consumed by sandbox_console and other
+* callers — any log line on stdout would corrupt JSON parsing. Rules,
+* helpers, and error paths therefore must route debug output through
+* console.error (stderr).
+*/
+function installStderrMirror() {
+	if (stderrMirrorInstalled) return;
+	stderrMirrorInstalled = true;
+	const original = console.error.bind(console);
+	console.error = (...args) => {
+		original(...args);
+		const body = args.map((a) => typeof a === "string" ? a : safeStringify(a)).join(" ");
+		appendCliLog(`[${(/* @__PURE__ */ new Date()).toISOString()}] ${body}\n`);
+	};
+}
+function safeStringify(v) {
 	try {
-		const { configPath } = input;
+		return JSON.stringify(v);
+	} catch {
+		return String(v);
+	}
+}
+function makeLogger(logFile) {
+	try {
+		const dir = node_path.default.dirname(logFile);
+		if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
+	} catch {}
+	return (msg) => {
+		const line = `[${(/* @__PURE__ */ new Date()).toISOString()}] ${msg}\n`;
 		try {
-			const validateOutput = shell("openclaw config validate --json");
-			if (!JSON.parse(validateOutput).valid) return {
-				success: false,
-				error: "config validation failed"
-			};
-		} catch (e) {
-			return {
-				success: false,
-				error: "config validate command failed: " + e.message
-			};
-		}
-		if (!fileExists(configPath)) return {
-			success: false,
-			error: "config file not found: " + configPath
-		};
-		const config = loadJSON5().parse(readFile(configPath));
-		const backup = { _backup_meta: { created_at: (/* @__PURE__ */ new Date()).toISOString() } };
-		if (config.agents) backup.agents = config.agents;
-		if (config.bindings) backup.bindings = config.bindings;
-		const feishu = config.channels?.feishu;
-		if (feishu?.accounts) backup.channels = { feishu: { accounts: feishu.accounts } };
-		const backupDir = node_path.default.dirname(BACKUP_PATH);
-		if (!node_fs.default.existsSync(backupDir)) node_fs.default.mkdirSync(backupDir, { recursive: true });
-		const tmpPath = BACKUP_PATH + ".tmp";
-		node_fs.default.writeFileSync(tmpPath, JSON.stringify(backup, null, 2), "utf-8");
-		node_fs.default.renameSync(tmpPath, BACKUP_PATH);
-		return { success: true };
+			node_fs.default.appendFileSync(logFile, line);
+		} catch {}
+		appendCliLog(line);
+	};
+}
+//#endregion
+//#region src/fs-utils.ts
+/**
+* Rename src → dst, falling back to `mv` (which handles cross-device copy)
+* when the kernel returns EXDEV.
+*
+* Sandbox filesystems can put sibling paths on different "devices" from
+* rename(2)'s point of view: bind mounts, overlayfs copy-up, and
+* mount-point children inside a single directory all trip EXDEV. Seen in
+* production when reset's atomic swap did
+*   /home/gem/.npm-global/lib/node_modules/openclaw → openclaw.bak
+* and the openclaw subdir was a bind-mounted volume.
+*
+* Behavior:
+*   - Happy path hits rename(2) — atomic, single syscall, microseconds.
+*   - EXDEV path shells out to `mv`, which does rename() then copy+unlink
+*     on failure. Non-atomic but correct; callers already have rollback
+*     logic (install-openclaw restores from .bak) so loss of atomicity
+*     only matters if the process dies mid-copy, and that's survivable.
+*   - Any other error (ENOENT, EACCES, EBUSY...) rethrows as-is so callers
+*     see the real problem instead of a misleading `mv` fallback failure.
+*/
+function moveSafe(src, dst) {
+	try {
+		node_fs.default.renameSync(src, dst);
 	} catch (e) {
-		return {
-			success: false,
-			error: "backup failed: " + e.message
-		};
+		if (e?.code !== "EXDEV") throw e;
+		execCaptureErr(`mv ${shellQuote(src)} ${shellQuote(dst)}`);
+	}
+}
+/**
+* Run a shell command, re-throwing with stderr attached on failure.
+*
+* Node's `execSync(..., { stdio: 'ignore' })` swallows stderr entirely —
+* callers only see "Command failed: <cmd>" with no hint of the real error
+* (ENOSPC, EROFS, "unrecognized option", etc.). Production debugging on
+* sandboxed boxes is painful without the underlying message, so we pipe
+* stderr, capture it, and embed it in the thrown Error. stdout stays
+* suppressed because the commands we run here (tar/mv) are silent on
+* success.
+*/
+function execCaptureErr(cmd) {
+	try {
+		(0, node_child_process.execSync)(cmd, { stdio: [
+			"ignore",
+			"ignore",
+			"pipe"
+		] });
+	} catch (e) {
+		const stderr = e?.stderr;
+		const stderrStr = (typeof stderr === "string" ? stderr : stderr?.toString("utf8") ?? "").trim();
+		const base = e?.message ?? "command failed";
+		throw new Error(stderrStr ? `${base}\nstderr: ${stderrStr}` : base);
+	}
+}
+/** POSIX single-quote shell escape. Paths with embedded quotes are rare but
+*  the token-file path conventions in sandboxes don't guarantee cleanliness. */
+function shellQuote(s) {
+	return `'${s.replace(/'/g, `'\\''`)}'`;
+}
+/**
+* Extract an npm-packed gzipped tarball.
+*
+* ## The problem this works around
+*
+* Some tarballs (openclaw's among them — they're not packed by vanilla
+* `npm pack`) include relative symlinks inside nested .bin/ dirs whose
+* targets contain `..`, e.g.
+*   node_modules/<pkg>/node_modules/.bin/foo -> ../foo/bin/cli.js
+*
+* GNU tar classifies any symlink target with `..` or a leading `/` as
+* "dangerous" and defers its extraction to a post-files pass, while also
+* needing a post-files pass to restore directory permissions/mtimes. The
+* two passes race: the deferred-symlink handling mutates parent-dir inodes,
+* then the directory stat-restore pass does `fstatat()` and the recorded
+* inode doesn't match, firing
+*
+*   tar: <path>: Directory renamed before its status could be extracted
+*
+* from `apply_nonancestor_delayed_set_stat()` in extract.c. This is an
+* `ERROR` (hard-fail, exit 2) — the `--warning=no-rename-directory`
+* keyword controls a different, incremental-archive code path and does
+* NOT silence this. Reference: Paul Eggert, bug-tar 2004-04:
+* https://lists.gnu.org/archive/html/bug-tar/2004-04/msg00021.html
+*
+* ## The fix
+*
+* Pass `--absolute-names` (aka `-P`). Per GNU tar docs, this disables the
+* "normalize dangerous names" logic — including the deferred-symlink pass
+* that's racing us. Also stops stripping leading `/`, but our tarballs
+* only contain relative (`./node_modules/...`) paths so there's nothing
+* to strip. Safe because:
+*   - The tarball is sha512-verified upstream (downloadWithCache)
+*   - All entry paths are relative, no absolute-path escape risk
+*   - All dangerous symlink targets resolve within the extracted tree
+*
+* ## Belt-and-suspenders
+*
+* If some tar variant still emits the error despite -P, we fall through
+* to checking the stderr pattern: if every error line is the benign
+* "Directory renamed …" text (no real failures like ENOSPC/EACCES/gzip
+* CRC/etc.), swallow exit 2. Callers MUST still verify extraction
+* (e.g. `fs.existsSync(path.join(dest, 'package.json'))`) — tar's
+* `skip_this_one = 1` after the error means some dirs missed their
+* mtime/mode restore, but content was written.
+*/
+function extractTarballTolerant(tarball, destDir, opts = {}) {
+	const strip = opts.stripComponents ?? 0;
+	const stripFlag = strip > 0 ? ` --strip-components=${strip}` : "";
+	const cmd = `tar -xzf ${shellQuote(tarball)} -C ${shellQuote(destDir)}${stripFlag} -P`;
+	try {
+		execCaptureErr(cmd);
+		return;
+	} catch (e) {
+		const msg = e?.message ?? "";
+		const hasFalseAlarm = msg.includes("Directory renamed before its status could be extracted");
+		const hasFatal = [
+			/Cannot open/i,
+			/Cannot mkdir/i,
+			/Cannot create/i,
+			/No space left on device/i,
+			/Disk quota exceeded/i,
+			/Permission denied/i,
+			/Read-only file system/i,
+			/unrecognized option/i,
+			/gzip:/i,
+			/Unexpected EOF/i,
+			/Invalid argument/i
+		].some((r) => r.test(msg));
+		if (!hasFalseAlarm || hasFatal) throw e;
+		console.error(`[tar] -P did not suppress "Directory renamed" on ${tarball}; tolerating (content must be verified by caller)`);
 	}
 }
 //#endregion
@@ -1034,7 +1705,9 @@ function runBackup(input) {
 */
 function startAsyncReset(ctxBase64) {
 	const taskId = (0, node_crypto.randomUUID)();
-	const resultFile = `/tmp/openclaw-reset-${taskId}.json`;
+	const resultFile = resetResultFile(taskId);
+	const log = makeLogger(resetLogFile(taskId));
+	log(`=== startAsyncReset spawning worker for taskId=${taskId} ===`);
 	const initial = {
 		status: "running",
 		step: 0,
@@ -1046,7 +1719,7 @@ function startAsyncReset(ctxBase64) {
 	const dir = node_path.default.dirname(resultFile);
 	if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
 	node_fs.default.writeFileSync(tmpPath, JSON.stringify(initial), "utf-8");
-	node_fs.default.renameSync(tmpPath, resultFile);
+	moveSafe(tmpPath, resultFile);
 	const child = (0, node_child_process.spawn)(process.execPath, [
 		process.argv[1],
 		"reset",
@@ -1058,6 +1731,7 @@ function startAsyncReset(ctxBase64) {
 		stdio: "ignore"
 	});
 	child.on("error", (err) => {
+		log(`FATAL worker failed to start: ${err.message}`);
 		const failResult = {
 			status: "failed",
 			step: 0,
@@ -1069,52 +1743,295 @@ function startAsyncReset(ctxBase64) {
 		};
 		const errTmpPath = resultFile + ".tmp";
 		node_fs.default.writeFileSync(errTmpPath, JSON.stringify(failResult));
-		node_fs.default.renameSync(errTmpPath, resultFile);
+		moveSafe(errTmpPath, resultFile);
 	});
 	child.unref();
+	log(`spawned worker pid=${child.pid}`);
 	return { taskId };
 }
 //#endregion
+//#region src/oss/fetchManifest.ts
+const MANIFEST_PREFIX = "builtin/manifests/openclaw/recommended/";
+const MANIFEST_SUFFIX = ".json";
+async function fetchManifest(ossFileMap, tag) {
+	const key = `${MANIFEST_PREFIX}${tag}${MANIFEST_SUFFIX}`;
+	const url = ossFileMap[key];
+	if (!url) {
+		const available = Object.keys(ossFileMap).filter((k) => k.startsWith(MANIFEST_PREFIX) && k.endsWith(MANIFEST_SUFFIX)).map((k) => k.slice(39, -5));
+		const availStr = available.length ? available.join(", ") : "(none)";
+		throw new Error(`manifest signed URL missing for tag "${tag}" (key ${key}). Available tags in ossFileMap: ${availStr}. Either pass an available tag or update the studio_server TCC openclaw_upgrade_config supported_versions.`);
+	}
+	const res = await fetch(url);
+	if (!res.ok) throw new Error(`fetch manifest failed: HTTP ${res.status} ${res.statusText}`);
+	return await res.json();
+}
+async function downloadWithCache(pkg, ossFileMap, opts = {}) {
+	const cacheRoot = opts.cacheRoot ?? "/tmp/openclaw-diagnose/resources";
+	const shortHash = pkg.shasum.slice(0, 16);
+	const destDir = node_path.default.join(cacheRoot, shortHash);
+	const destFile = node_path.default.join(destDir, node_path.default.posix.basename(pkg.ossKey));
+	node_fs.default.mkdirSync(destDir, { recursive: true });
+	if (node_fs.default.existsSync(destFile)) return destFile;
+	const url = ossFileMap[pkg.ossKey];
+	if (!url) throw new Error(`signed URL missing for ${pkg.ossKey}`);
+	if (!pkg.integrity.startsWith("sha512-")) throw new Error(`unsupported integrity format: ${pkg.integrity}`);
+	const expected = pkg.integrity.slice(7);
+	const tmpFile = node_path.default.join(destDir, `.tmp.${process.pid}.${node_crypto.default.randomBytes(4).toString("hex")}`);
+	try {
+		const res = await fetch(url);
+		if (!res.ok) throw new Error(`download failed: HTTP ${res.status}`);
+		if (!res.body) throw new Error(`download failed: empty body for ${pkg.ossKey}`);
+		const hasher = node_crypto.default.createHash("sha512");
+		const source = node_stream.Readable.fromWeb(res.body);
+		async function* teeAndHash(src) {
+			for await (const chunk of src) {
+				hasher.update(chunk);
+				yield chunk;
+			}
+		}
+		await (0, node_stream_promises.pipeline)(source, teeAndHash, node_fs.default.createWriteStream(tmpFile));
+		const actual = hasher.digest("base64");
+		if (actual !== expected) {
+			const envBypass = process.env.OPENCLAW_DEBUG_SKIP_INTEGRITY === "1";
+			if (opts.skipIntegrity || envBypass) {
+				const sourceLabel = opts.skipIntegrity ? "skipIntegrity=true" : "OPENCLAW_DEBUG_SKIP_INTEGRITY=1";
+				console.error(`⚠ [downloadWithCache] INTEGRITY BYPASS for ${pkg.ossKey}: expected ${expected.slice(0, 12)}… got ${actual.slice(0, 12)}… — ${sourceLabel}. DO NOT use this flag in production.`);
+			} else throw new Error(`integrity mismatch for ${pkg.ossKey}: expected ${expected} got ${actual}`);
+		}
+		moveSafe(tmpFile, destFile);
+		return destFile;
+	} catch (e) {
+		try {
+			node_fs.default.unlinkSync(tmpFile);
+		} catch {}
+		throw e;
+	}
+}
+async function installOpenclaw(openclawTag, ossFileMap, opts = {}) {
+	const homeBase = opts.homeBase ?? "/home/gem";
+	const t0 = Date.now();
+	const pkg = (await fetchManifest(ossFileMap, openclawTag)).packages.find((p) => p.role === "cli" && p.name === "openclaw");
+	if (!pkg) throw new Error("install-openclaw: role=cli,name=openclaw not found in manifest");
+	const targetDir = opts.targetDir ?? node_path.default.join(homeBase, pkg.installPath);
+	const bakDir = targetDir + ".bak";
+	const newDir = targetDir + ".new";
+	const tarball = await downloadWithCache(pkg, ossFileMap, opts);
+	console.error(`[install-openclaw] tag=${openclawTag} shasum=${pkg.shasum.slice(0, 12)}...`);
+	if (node_fs.default.existsSync(newDir)) node_fs.default.rmSync(newDir, {
+		recursive: true,
+		force: true
+	});
+	if (node_fs.default.existsSync(bakDir)) node_fs.default.rmSync(bakDir, {
+		recursive: true,
+		force: true
+	});
+	node_fs.default.mkdirSync(node_path.default.dirname(targetDir), { recursive: true });
+	const tmpStage = node_fs.default.mkdtempSync(node_path.default.join(opts.tmpRoot ?? node_os.default.tmpdir(), "openclaw-install-"));
+	try {
+		extractTarballTolerant(tarball, tmpStage, { stripComponents: 1 });
+		if (!node_fs.default.existsSync(node_path.default.join(tmpStage, "package.json"))) throw new Error("extracted tarball missing package.json");
+		moveSafe(tmpStage, newDir);
+		const hadExisting = node_fs.default.existsSync(targetDir);
+		try {
+			if (hadExisting) moveSafe(targetDir, bakDir);
+			moveSafe(newDir, targetDir);
+		} catch (e) {
+			if (hadExisting && !node_fs.default.existsSync(targetDir) && node_fs.default.existsSync(bakDir)) try {
+				moveSafe(bakDir, targetDir);
+			} catch {}
+			try {
+				node_fs.default.rmSync(newDir, {
+					recursive: true,
+					force: true
+				});
+			} catch {}
+			throw e;
+		}
+		if (hadExisting && node_fs.default.existsSync(bakDir)) node_fs.default.rmSync(bakDir, {
+			recursive: true,
+			force: true
+		});
+	} finally {
+		if (node_fs.default.existsSync(tmpStage)) try {
+			node_fs.default.rmSync(tmpStage, {
+				recursive: true,
+				force: true
+			});
+		} catch {}
+	}
+	console.error(`[install-openclaw] done in ${Date.now() - t0}ms`);
+}
+async function installExtension(tag, ossFileMap, opts = {}) {
+	const homeBase = opts.homeBase ?? "/home/gem";
+	const hasAll = !!opts.all;
+	const hasNames = (opts.names?.length ?? 0) > 0;
+	if (hasAll && hasNames) throw new Error("install-extension: --all and --extension are mutually exclusive");
+	if (!hasAll && !hasNames) throw new Error("install-extension: must provide --all or --extension=<name>");
+	const allExts = (await fetchManifest(ossFileMap, tag)).packages.filter((p) => p.role === "extension");
+	let targets;
+	if (hasAll) targets = allExts;
+	else {
+		const wanted = new Set(opts.names);
+		targets = allExts.filter((p) => wanted.has(p.name) || p.packageName != null && wanted.has(p.packageName));
+		const foundKeys = /* @__PURE__ */ new Set();
+		for (const t of targets) {
+			foundKeys.add(t.name);
+			if (t.packageName) foundKeys.add(t.packageName);
+		}
+		const missing = opts.names.filter((n) => !foundKeys.has(n));
+		if (missing.length > 0) throw new Error(`install-extension: not found in manifest: ${missing.join(", ")}`);
+	}
+	console.error(`[install-extension] tag=${tag} targets=${targets.length}`);
+	const t0 = Date.now();
+	const tarballs = await Promise.all(targets.map(async (p) => {
+		const tb = await downloadWithCache(p, ossFileMap, opts);
+		console.error(`[install-extension]   ${p.name}: downloaded`);
+		return {
+			pkg: p,
+			tarball: tb
+		};
+	}));
+	for (const { pkg, tarball } of tarballs) {
+		installOne(pkg, tarball, homeBase);
+		console.error(`[install-extension]   ${pkg.name}: installed`);
+	}
+	if (!opts.skipConfigUpdate) updatePluginInstalls(opts.configPath ?? node_path.default.join(homeBase, "workspace/agent/openclaw.json"), targets);
+	else console.error(`[install-extension] skipConfigUpdate=true — not touching openclaw.json`);
+	console.error(`[install-extension] done ${targets.length}/${targets.length} in ${Date.now() - t0}ms`);
+}
+/**
+* Merge each installed extension's installMetadata into openclaw.json's
+* plugins.installs[<pkg.name>]. Atomic write via tmp + rename.
+*
+* - No openclaw.json → log + return (not an error; some install contexts don't have it yet)
+* - Extension without installMetadata in manifest → skip that entry (log)
+* - Existing plugins.installs entries for other extensions left untouched
+*/
+function updatePluginInstalls(configPath, installedPkgs) {
+	if (!node_fs.default.existsSync(configPath)) {
+		console.error(`[install-extension] no config at ${configPath} — skip plugins.installs update`);
+		return;
+	}
+	const JSON5 = loadJSON5();
+	const raw = node_fs.default.readFileSync(configPath, "utf-8");
+	const config = JSON5.parse(raw);
+	if (!config.plugins || typeof config.plugins !== "object") config.plugins = {};
+	const plugins = config.plugins;
+	if (!plugins.installs || typeof plugins.installs !== "object") plugins.installs = {};
+	const installs = plugins.installs;
+	let updated = 0;
+	let skipped = 0;
+	for (const pkg of installedPkgs) if (pkg.installMetadata) {
+		installs[pkg.name] = pkg.installMetadata;
+		updated++;
+	} else skipped++;
+	const tmpPath = configPath + ".installs-tmp";
+	node_fs.default.writeFileSync(tmpPath, JSON.stringify(config, null, 2), "utf-8");
+	moveSafe(tmpPath, configPath);
+	console.error(`[install-extension] plugins.installs updated: ${updated} entry(ies) in ${configPath}` + (skipped > 0 ? ` (${skipped} package(s) without installMetadata skipped)` : ""));
+}
+function installOne(pkg, tarball, homeBase) {
+	const destDir = node_path.default.join(homeBase, pkg.installPath);
+	const stagingDir = destDir + ".new";
+	const oldDir = destDir + ".old";
+	node_fs.default.mkdirSync(node_path.default.dirname(destDir), { recursive: true });
+	if (node_fs.default.existsSync(stagingDir)) node_fs.default.rmSync(stagingDir, {
+		recursive: true,
+		force: true
+	});
+	node_fs.default.mkdirSync(stagingDir);
+	try {
+		extractTarballTolerant(tarball, stagingDir, { stripComponents: 1 });
+		if (!node_fs.default.existsSync(node_path.default.join(stagingDir, "package.json"))) throw new Error(`extension tarball missing package.json: ${pkg.name}`);
+	} catch (e) {
+		try {
+			node_fs.default.rmSync(stagingDir, {
+				recursive: true,
+				force: true
+			});
+		} catch {}
+		throw e;
+	}
+	const hadOld = node_fs.default.existsSync(destDir);
+	if (hadOld) moveSafe(destDir, oldDir);
+	moveSafe(stagingDir, destDir);
+	if (hadOld && node_fs.default.existsSync(oldDir)) node_fs.default.rmSync(oldDir, {
+		recursive: true,
+		force: true
+	});
+}
+/**
+* Download + extract a config/template package to its install destination.
+*
+* Current manifest has all resources as format=tgz with content at the root
+* (config: openclaw.json file at root; template: scripts/ dir at root), so we
+* always `tar -xzf` without --strip-components into `dirname(fullInstallPath)`.
+* The final artefact ends up at exactly `homeBase + pkg.installPath`.
+*/
+async function downloadResource(tag, ossFileMap, opts) {
+	const homeBase = opts.homeBase ?? "/home/gem";
+	const pkg = (await fetchManifest(ossFileMap, tag)).packages.find((p) => p.role === opts.role && p.name === opts.name);
+	if (!pkg) throw new Error(`download-resource: not found in manifest: role=${opts.role} name=${opts.name}`);
+	const file = await downloadWithCache(pkg, ossFileMap, opts);
+	const fullInstallPath = node_path.default.join(homeBase, pkg.installPath);
+	const extractDir = opts.dir ?? node_path.default.dirname(fullInstallPath);
+	node_fs.default.mkdirSync(extractDir, { recursive: true });
+	const format = (pkg.format ?? "").toLowerCase();
+	const lower = pkg.ossKey.toLowerCase();
+	if (format === "tgz" || lower.endsWith(".tgz") || lower.endsWith(".tar.gz")) {
+		extractTarballTolerant(file, extractDir);
+		console.error(`[download-resource] ${opts.role}/${opts.name}: extracted to ${extractDir}`);
+	} else {
+		const basename = node_path.default.posix.basename(pkg.ossKey);
+		node_fs.default.copyFileSync(file, node_path.default.join(extractDir, basename));
+		console.error(`[download-resource] ${opts.role}/${opts.name}: copied ${basename} to ${extractDir}`);
+	}
+}
+//#endregion
+//#region src/oss/getOpenclawTag.ts
+/**
+* Extracts the openclaw tag from the manifest key present in ossFileMap.
+* Avoids passing an extra ctx field — we already know the tag from the
+* well-known manifest key studio_server included.
+*
+* Manifest key shape: builtin/manifests/openclaw/recommended/<tag>.json
+*/
+function getOpenclawTagFromOssFileMap(ossFileMap) {
+	const prefix = "builtin/manifests/openclaw/recommended/";
+	const suffix = ".json";
+	for (const key of Object.keys(ossFileMap)) if (key.startsWith(prefix) && key.endsWith(suffix)) return key.slice(39, -5);
+	throw new Error("cannot resolve openclaw tag: ossFileMap missing manifest key");
+}
+//#endregion
 //#region src/reset.ts
 const STEPS = [
 	"备份当前配置",
-	"下载技术栈模板",
 	"生成默认配置",
 	"杀掉 openclaw 进程",
-	"重装 openclaw",
+	"等待沙箱初始化完成",
+	"确认 openclaw 版本",
 	"合并核心备份配置",
-	"复制启动脚本",
-	"重装内置插件",
+	"检查启动脚本",
+	"安装扩展",
 	"启动并验证"
 ];
 const TOTAL_STEPS = STEPS.length;
-const CORE_BACKUP_PATH = "/home/gem/workspace/.force/openclaw/core-backup.json";
-const TMP_RESET_DIR = "/tmp/openclaw-reset";
-/**
-* Atomically write the result file (write .tmp + rename).
-*/
 function writeResultFile(resultFile, result) {
 	const dir = node_path.default.dirname(resultFile);
 	if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
 	const tmpPath = resultFile + ".tmp";
 	node_fs.default.writeFileSync(tmpPath, JSON.stringify(result), "utf-8");
-	node_fs.default.renameSync(tmpPath, resultFile);
+	moveSafe(tmpPath, resultFile);
 }
-/**
-* Update progress in the result file.
-*/
-function updateProgress(resultFile, step, progress, startedAt) {
+function updateProgress(resultFile, step, startedAt) {
 	writeResultFile(resultFile, {
 		status: "running",
 		step,
 		totalSteps: TOTAL_STEPS,
-		progress,
+		progress: STEPS[step - 1],
 		startedAt
 	});
 }
-/**
-* Mark the task as done.
-*/
 function markDone(resultFile, startedAt) {
 	writeResultFile(resultFile, {
 		status: "done",
@@ -1125,147 +2042,362 @@ function markDone(resultFile, startedAt) {
 		completedAt: (/* @__PURE__ */ new Date()).toISOString()
 	});
 }
-/**
-* Mark the task as failed.
-*/
-function markFailed(resultFile, step, progress, error, startedAt) {
+function markFailed(resultFile, step, error, startedAt) {
 	writeResultFile(resultFile, {
 		status: "failed",
 		step,
 		totalSteps: TOTAL_STEPS,
-		progress,
+		progress: step > 0 ? STEPS[step - 1] : "初始化",
 		error,
 		startedAt,
 		completedAt: (/* @__PURE__ */ new Date()).toISOString()
 	});
 }
 /**
+* Download the template assets (config/openclaw.json + template/scripts) from
+* OSS into a scratch directory so the existing step 2 (generateDefaultConfig)
+* and step 7 (copyStartupScripts) can consume them as local files — the rest
+* of the orchestrator code stays untouched.
+*
+* Called once before step 1. The caller is responsible for rm -rf'ing
+* stagedDir in a finally{} block after the reset completes (or fails).
+*/
+async function stageTemplate(openclawTag, ossFileMap, stagedDir, configDir, log) {
+	if (node_fs.default.existsSync(stagedDir)) node_fs.default.rmSync(stagedDir, {
+		recursive: true,
+		force: true
+	});
+	node_fs.default.mkdirSync(stagedDir, { recursive: true });
+	await downloadResource(openclawTag, ossFileMap, {
+		role: "config",
+		name: "openclaw.json",
+		dir: stagedDir
+	});
+	await downloadResource(openclawTag, ossFileMap, {
+		role: "template",
+		name: "scripts",
+		dir: configDir
+	});
+	log(`staged openclaw.json to ${stagedDir}, scripts directly to ${configDir}/scripts`);
+}
+/** Step 1: Backup current config as openclaw.json.bak.N */
+function backupCurrentConfig(configPath, log) {
+	if (!fileExists(configPath)) {
+		log("no existing config, skip backup");
+		return;
+	}
+	const dir = node_path.default.dirname(configPath);
+	let maxN = 0;
+	try {
+		for (const f of node_fs.default.readdirSync(dir)) {
+			const match = f.match(/^openclaw\.json\.bak\.(\d+)$/);
+			if (match) {
+				const n = parseInt(match[1], 10);
+				if (n > maxN) maxN = n;
+			}
+		}
+	} catch {}
+	const bakPath = configPath + ".bak." + (maxN + 1);
+	node_fs.default.copyFileSync(configPath, bakPath);
+	log(`backed up to ${bakPath}`);
+}
+/** Step 2: Replace $$__XXX__ placeholders and write default config. */
+function generateDefaultConfig(srcDir, configPath, templateVars, log) {
+	const srcConfigPath = node_path.default.join(srcDir, "openclaw.json");
+	if (!fileExists(srcConfigPath)) throw new Error("staged openclaw.json not found at " + srcConfigPath);
+	let content = node_fs.default.readFileSync(srcConfigPath, "utf-8");
+	let replaced = 0;
+	for (const [placeholder, value] of Object.entries(templateVars)) {
+		const parts = content.split(placeholder);
+		if (parts.length > 1) replaced += parts.length - 1;
+		content = parts.join(value);
+	}
+	node_fs.default.writeFileSync(configPath, content, "utf-8");
+	log(`wrote ${configPath} (${replaced} placeholder(s) replaced, ${Object.keys(templateVars).length} provided)`);
+}
+/** Step 3: Kill all openclaw processes. */
+function killOpenclawProcesses(log) {
+	try {
+		shell("pkill -f openclaw-gateway || true", 5e3);
+	} catch {}
+	shell("sleep 2", 5e3);
+	log("killed openclaw-gateway processes");
+}
+/**
+* Step 4: Wait for the sandbox's own init (init_sandbox.sh / concurrent npm
+* install) to finish before we start our own work. Two processes sharing
+* ~/.npm cache + competing for disk/network just makes everything crawl;
+* letting init finish first is the cleanest way to get exclusive access.
+* Polls every 10s up to `maxWaitMs`. If the deadline is hit we fall through
+* anyway — better to try than to fail the reset outright.
+*
+* Kept even after we switched off `npm install` because the sandbox init
+* script still runs `npm install` for other packages and holds cache locks.
+*/
+function waitForInitNpm(maxWaitMs, log) {
+	const deadline = Date.now() + maxWaitMs;
+	const ownPid = String(process.pid);
+	let polls = 0;
+	while (Date.now() < deadline) {
+		polls++;
+		let running = 0;
+		try {
+			const out = shell(`pgrep -af "init_sandbox.sh|npm install|npm i " | grep -v -- "${ownPid}" | wc -l`, 1e4);
+			running = parseInt(out.trim(), 10) || 0;
+		} catch {
+			log(`poll ${polls}: no concurrent npm, proceeding`);
+			return;
+		}
+		if (running === 0) {
+			log(`poll ${polls}: no concurrent npm, proceeding`);
+			return;
+		}
+		log(`poll ${polls}: ${running} concurrent npm/init process(es) still running, waiting 10s`);
+		try {
+			shell("sleep 10", 12e3);
+		} catch {}
+	}
+	log(`deadline (${maxWaitMs}ms) hit after ${polls} poll(s), proceeding anyway`);
+}
+/**
+* Step 5: Install openclaw from the OSS-provided tarball at the target tag,
+* then verify `openclaw --version` output contains that tag. No npm involved.
+*/
+async function step5InstallOpenclaw(openclawTag, ossFileMap, log) {
+	log(`install-openclaw tag=${openclawTag}`);
+	await installOpenclaw(openclawTag, ossFileMap);
+	const out = shell("openclaw --version 2>&1 || true", 1e4).trim();
+	if (!out.includes(openclawTag)) throw new Error(`openclaw version verify failed: got "${out}"`);
+	log(`openclaw version verified: ${out}`);
+}
+/** Step 6: Merge coreBackup from resetData + ensure allowedOrigins. */
+function mergeCoreBackupAndOrigins(configPath, vars, resetData, log) {
+	const JSON5 = loadJSON5();
+	const backup = resetData.coreBackup;
+	if (backup) {
+		const config = JSON5.parse(node_fs.default.readFileSync(configPath, "utf-8"));
+		const merged = [];
+		if (backup.agents && backup.agents.length > 0) {
+			if (!config.agents) config.agents = {};
+			const agents = config.agents;
+			if (!Array.isArray(agents.list)) agents.list = [];
+			const configDir = node_path.default.dirname(configPath);
+			for (const agent of backup.agents) {
+				const enriched = {
+					id: agent.id,
+					name: agent.id,
+					workspace: agent.workspace,
+					agentDir: configDir + "/agents/" + agent.id + "/agent"
+				};
+				agents.list.push(enriched);
+			}
+			merged.push(`agents(+${backup.agents.length})`);
+			const list = agents.list;
+			let mainIdx = list.findIndex((a) => a.id === "main");
+			if (mainIdx < 0) {
+				list.unshift({ id: "main" });
+				mainIdx = 0;
+			}
+			list[mainIdx].subagents = { allowAgents: ["*"] };
+			list[mainIdx].default = true;
+			merged.push("main-team-mode");
+			const feishu = config.channels?.feishu;
+			if (feishu) {
+				if (!feishu.accounts) feishu.accounts = {};
+				const accounts = feishu.accounts;
+				const defaultAccount = {};
+				for (const key of [
+					"dmPolicy",
+					"allowFrom",
+					"groupPolicy",
+					"groupAllowFrom"
+				]) if (feishu[key] !== void 0) defaultAccount[key] = feishu[key];
+				if (Object.keys(defaultAccount).length > 0) {
+					accounts.default = defaultAccount;
+					merged.push("accounts.default");
+				}
+			}
+		}
+		if (backup.bindings && backup.bindings.length > 0) {
+			config.bindings = backup.bindings;
+			merged.push("bindings");
+		}
+		const backupAccounts = backup.channels?.feishu?.accounts;
+		if (backupAccounts && Object.keys(backupAccounts).length > 0) {
+			if (!config.channels) config.channels = {};
+			const ch = config.channels;
+			if (!ch.feishu) ch.feishu = {};
+			const feishu = ch.feishu;
+			if (!feishu.accounts) feishu.accounts = {};
+			Object.assign(feishu.accounts, backupAccounts);
+			merged.push("channels.feishu.accounts");
+		}
+		node_fs.default.writeFileSync(configPath, JSON.stringify(config, null, 2), "utf-8");
+		log(`merged from coreBackup: [${merged.join(", ") || "nothing"}]`);
+	} else log("no coreBackup in resetData, skip multi-agent merge");
+	const expectedOrigins = Array.isArray(vars.expectedOrigins) ? vars.expectedOrigins : [];
+	if (expectedOrigins.length === 0) {
+		log("no expectedOrigins provided");
+		return;
+	}
+	const config = JSON5.parse(node_fs.default.readFileSync(configPath, "utf-8"));
+	if (!config.gateway) config.gateway = {};
+	const gw = config.gateway;
+	if (!gw.controlUi) gw.controlUi = {};
+	const cui = gw.controlUi;
+	const current = Array.isArray(cui.allowedOrigins) ? cui.allowedOrigins.filter((o) => typeof o === "string") : [];
+	if (current.includes("*")) {
+		log("allowedOrigins already contains \"*\", skip origin merge");
+		return;
+	}
+	const seen = new Set(current);
+	const added = [];
+	const mergedOrigins = [...current];
+	for (const o of expectedOrigins) if (!seen.has(o)) {
+		mergedOrigins.push(o);
+		seen.add(o);
+		added.push(o);
+	}
+	cui.allowedOrigins = mergedOrigins;
+	node_fs.default.writeFileSync(configPath, JSON.stringify(config, null, 2), "utf-8");
+	log(`allowedOrigins: added ${added.length} (${JSON.stringify(added)}), total now ${mergedOrigins.length}`);
+}
+/**
+* Step 7: Verify startup scripts landed in configDir/scripts/.
+*
+* Scripts are extracted directly to configDir/scripts/ during stageTemplate —
+* there's no intermediate copy any more. This step is now a verification gate
+* (rather than a copy action) so the step count stays at 9 and we fail early
+* if the template tgz didn't carry a scripts/ dir.
+*/
+function verifyStartupScripts(configDir, log) {
+	const targetScriptsDir = node_path.default.join(configDir, "scripts");
+	if (!node_fs.default.existsSync(targetScriptsDir)) throw new Error(`scripts dir missing at ${targetScriptsDir} — template download failed?`);
+	log(`scripts dir present at ${targetScriptsDir}`);
+}
+/**
+* Step 8: Install all extensions listed in the OSS manifest at `openclawTag`.
+* Replaces the old `plugins update --all` / pre-packed tar.gz flow — the
+* manifest is now the single source of truth for which extensions ship.
+*/
+async function step8InstallExtensions(openclawTag, ossFileMap, log) {
+	log(`install-extension --all tag=${openclawTag}`);
+	await installExtension(openclawTag, ossFileMap, {
+		all: true,
+		skipConfigUpdate: true
+	});
+	log("extensions installed");
+}
+/** Step 9: Write secrets/provider key files and restart openclaw. */
+function writeSecretsAndRestart(vars, resetData, configDir, log) {
+	if (resetData.secretsContent && vars.secretsFilePath) {
+		writeFile(vars.secretsFilePath, resetData.secretsContent);
+		log(`wrote secrets to ${vars.secretsFilePath}`);
+	}
+	if (resetData.providerKeyContent && vars.providerFilePath) {
+		writeFile(vars.providerFilePath, resetData.providerKeyContent);
+		log(`wrote provider key to ${vars.providerFilePath}`);
+	}
+	const restartScript = node_path.default.join(configDir, "scripts", "restart.sh");
+	if (fileExists(restartScript)) {
+		const t = Date.now();
+		shell(`bash '${restartScript}'`, 3e4);
+		log(`restart.sh done in ${Date.now() - t}ms`);
+	} else log(`no restart.sh at ${restartScript}, skip`);
+}
+/**
 * Run the 9-step reset process. Called from the worker entry point.
+*
+* Each step is an independent function. The orchestrator handles progress
+* reporting, error handling, and process-level exception guards.
+*
+* Template assets (openclaw.json + scripts/) are downloaded from OSS into a
+* scratch dir via `stageTemplate` before step 1 — there is no bundled
+* `template/` directory at runtime any more.
 */
-function runReset(input, taskId, resultFile) {
+async function runReset(input, taskId, resultFile) {
 	const startedAt = (/* @__PURE__ */ new Date()).toISOString();
-	const { configPath, resetData } = input;
+	const { configPath, vars, resetData } = input;
 	const configDir = node_path.default.dirname(configPath);
+	const stagedDir = node_path.default.join(DIAGNOSE_DIR, `reset-${taskId}-template`);
 	let currentStep = 0;
+	let stepStartedAt = Date.now();
+	const log = makeLogger(resetLogFile(taskId));
+	log(`=== reset started, taskId=${taskId}, pid=${process.pid} ===`);
+	log(`configPath=${configPath}, configDir=${configDir}, stagedDir=${stagedDir}`);
+	const ossFileMap = resetData.ossFileMap;
+	if (!ossFileMap || Object.keys(ossFileMap).length === 0) {
+		const err = "resetData.ossFileMap missing or empty";
+		log(`ERROR: ${err}`);
+		markFailed(resultFile, 0, err, startedAt);
+		process.exit(1);
+	}
+	let openclawTag;
+	if (resetData.openclawTag) openclawTag = resetData.openclawTag;
+	else try {
+		openclawTag = getOpenclawTagFromOssFileMap(ossFileMap);
+	} catch (e) {
+		const err = e.message;
+		log(`ERROR: ${err}`);
+		markFailed(resultFile, 0, err, startedAt);
+		process.exit(1);
+	}
+	log(`openclawTag=${openclawTag}`);
 	process.on("uncaughtException", (err) => {
-		const stepName = currentStep > 0 ? STEPS[currentStep - 1] : "初始化";
-		markFailed(resultFile, currentStep, stepName, `uncaught exception: ${err.message}`, startedAt);
+		log(`FATAL uncaughtException: ${err.message}\n${err.stack ?? ""}`);
+		markFailed(resultFile, currentStep, `uncaught exception: ${err.message}`, startedAt);
 		process.exit(1);
 	});
 	process.on("unhandledRejection", (reason) => {
-		const stepName = currentStep > 0 ? STEPS[currentStep - 1] : "初始化";
-		markFailed(resultFile, currentStep, stepName, `unhandled rejection: ${reason}`, startedAt);
+		log(`FATAL unhandledRejection: ${String(reason)}`);
+		markFailed(resultFile, currentStep, `unhandled rejection: ${reason}`, startedAt);
 		process.exit(1);
 	});
+	/** Advance to the next step, updating the progress file and logging a boundary. */
+	const step = (n) => {
+		if (currentStep > 0) log(`step ${currentStep} "${STEPS[currentStep - 1]}" done in ${Date.now() - stepStartedAt}ms`);
+		currentStep = n;
+		stepStartedAt = Date.now();
+		log(`--- step ${n}/${TOTAL_STEPS}: ${STEPS[n - 1]} ---`);
+		updateProgress(resultFile, n, startedAt);
+	};
 	try {
-		currentStep = 1;
-		updateProgress(resultFile, currentStep, STEPS[0], startedAt);
-		if (fileExists(configPath)) {
-			let maxN = 0;
-			try {
-				const files = node_fs.default.readdirSync(configDir);
-				const bakPattern = /^openclaw\.json\.bak\.(\d+)$/;
-				for (const f of files) {
-					const match = f.match(bakPattern);
-					if (match) {
-						const n = parseInt(match[1], 10);
-						if (n > maxN) maxN = n;
-					}
-				}
-			} catch {}
-			const bakPath = configPath + ".bak." + (maxN + 1);
-			node_fs.default.copyFileSync(configPath, bakPath);
-		}
-		currentStep = 2;
-		updateProgress(resultFile, currentStep, STEPS[1], startedAt);
-		if (!node_fs.default.existsSync(TMP_RESET_DIR)) node_fs.default.mkdirSync(TMP_RESET_DIR, { recursive: true });
-		const zipPath = node_path.default.join(TMP_RESET_DIR, "template.zip");
-		const zipSource = resetData.zipDownloadURL;
-		if (zipSource.startsWith("http://") || zipSource.startsWith("https://")) shell(`curl -sSL -o '${zipPath}' '${zipSource}'`, 12e4);
-		else shell(`cp '${zipSource}' '${zipPath}'`, 1e4);
-		shell(`unzip -o '${zipPath}' -d '${TMP_RESET_DIR}'`, 6e4);
-		const srcDir = findSrcDir(TMP_RESET_DIR);
-		currentStep = 3;
-		updateProgress(resultFile, currentStep, STEPS[2], startedAt);
-		const srcConfigPath = node_path.default.join(srcDir, "openclaw.json");
-		if (!fileExists(srcConfigPath)) throw new Error("template openclaw.json not found in downloaded zip at " + srcConfigPath);
-		let configContent = node_fs.default.readFileSync(srcConfigPath, "utf-8");
-		for (const [placeholder, value] of Object.entries(resetData.templateVars)) configContent = configContent.split(placeholder).join(value);
-		node_fs.default.writeFileSync(configPath, configContent, "utf-8");
-		currentStep = 4;
-		updateProgress(resultFile, currentStep, STEPS[3], startedAt);
-		try {
-			shell("pkill -f openclaw-gateway || true", 5e3);
-		} catch {}
-		shell("sleep 2", 5e3);
-		currentStep = 5;
-		updateProgress(resultFile, currentStep, STEPS[4], startedAt);
-		const JSON5 = loadJSON5();
-		const version = JSON5.parse(node_fs.default.readFileSync(srcConfigPath, "utf-8")).meta?.lastTouchedVersion;
-		if (version) shell(`npm install -g @anthropic-ai/openclaw@${version}`, 3e5);
-		else shell("npm install -g @anthropic-ai/openclaw@latest", 3e5);
-		currentStep = 6;
-		updateProgress(resultFile, currentStep, STEPS[5], startedAt);
-		if (fileExists(CORE_BACKUP_PATH)) {
-			const backup = JSON.parse(node_fs.default.readFileSync(CORE_BACKUP_PATH, "utf-8"));
-			const mergeConfig = JSON5.parse(node_fs.default.readFileSync(configPath, "utf-8"));
-			if (backup.agents) mergeConfig.agents = backup.agents;
-			if (backup.bindings) mergeConfig.bindings = backup.bindings;
-			const backupFeishu = backup.channels?.feishu;
-			if (backupFeishu?.accounts) {
-				if (!mergeConfig.channels) mergeConfig.channels = {};
-				const ch = mergeConfig.channels;
-				if (!ch.feishu) ch.feishu = {};
-				const feishu = ch.feishu;
-				feishu.accounts = backupFeishu.accounts;
-			}
-			node_fs.default.writeFileSync(configPath, JSON.stringify(mergeConfig, null, 2), "utf-8");
-		}
-		currentStep = 7;
-		updateProgress(resultFile, currentStep, STEPS[6], startedAt);
-		const srcScriptsDir = node_path.default.join(srcDir, "scripts");
-		const targetScriptsDir = node_path.default.join(configDir, "scripts");
-		if (node_fs.default.existsSync(srcScriptsDir)) {
-			if (!node_fs.default.existsSync(targetScriptsDir)) node_fs.default.mkdirSync(targetScriptsDir, { recursive: true });
-			shell(`cp -r '${srcScriptsDir}'/* '${targetScriptsDir}/'`, 1e4);
-		}
-		currentStep = 8;
-		updateProgress(resultFile, currentStep, STEPS[7], startedAt);
-		try {
-			shell("openclaw plugins install --all", 3e5);
-		} catch (e) {}
-		currentStep = 9;
-		updateProgress(resultFile, currentStep, STEPS[8], startedAt);
-		if (resetData.secretsContent && input.vars.secretsFilePath) writeFile(input.vars.secretsFilePath, resetData.secretsContent);
-		if (resetData.providerKeyContent && input.vars.providerFilePath) writeFile(input.vars.providerFilePath, resetData.providerKeyContent);
-		const restartScript = node_path.default.join(configDir, "scripts", "restart.sh");
-		if (fileExists(restartScript)) shell(`bash '${restartScript}'`, 3e4);
+		await stageTemplate(openclawTag, ossFileMap, stagedDir, configDir, log);
+		step(1);
+		backupCurrentConfig(configPath, log);
+		step(2);
+		generateDefaultConfig(stagedDir, configPath, resetData.templateVars, log);
+		step(3);
+		killOpenclawProcesses(log);
+		step(4);
+		waitForInitNpm(10 * 6e4, log);
+		step(5);
+		await step5InstallOpenclaw(openclawTag, ossFileMap, log);
+		step(6);
+		mergeCoreBackupAndOrigins(configPath, vars, resetData, log);
+		step(7);
+		verifyStartupScripts(configDir, log);
+		step(8);
+		await step8InstallExtensions(openclawTag, ossFileMap, log);
+		step(9);
+		writeSecretsAndRestart(vars, resetData, configDir, log);
+		log(`step 9 "${STEPS[8]}" done in ${Date.now() - stepStartedAt}ms`);
+		log("=== reset completed successfully ===");
+		markDone(resultFile, startedAt);
+	} catch (e) {
+		const err = e.message;
+		log(`ERROR in step ${currentStep} "${STEPS[currentStep - 1] ?? "init"}" after ${Date.now() - stepStartedAt}ms: ${err}\n${e.stack ?? ""}`);
+		markFailed(resultFile, currentStep, err, startedAt);
+		process.exit(1);
+	} finally {
 		try {
-			node_fs.default.rmSync(TMP_RESET_DIR, {
+			node_fs.default.rmSync(stagedDir, {
 				recursive: true,
 				force: true
 			});
 		} catch {}
-		markDone(resultFile, startedAt);
-	} catch (e) {
-		const stepName = currentStep > 0 ? STEPS[currentStep - 1] : "初始化";
-		markFailed(resultFile, currentStep, stepName, e.message, startedAt);
-		process.exit(1);
 	}
 }
-/**
-* Find the source directory within the extracted zip.
-* Looks for openclaw.json in TMP_RESET_DIR or one level deep.
-*/
-function findSrcDir(baseDir) {
-	if (node_fs.default.existsSync(node_path.default.join(baseDir, "openclaw.json"))) return baseDir;
-	const entries = node_fs.default.readdirSync(baseDir, { withFileTypes: true });
-	for (const entry of entries) if (entry.isDirectory()) {
-		const candidate = node_path.default.join(baseDir, entry.name);
-		if (node_fs.default.existsSync(node_path.default.join(candidate, "openclaw.json"))) return candidate;
-	}
-	return baseDir;
-}
 //#endregion
 //#region src/get-reset-task.ts
 /**
@@ -1274,7 +2406,7 @@ function findSrcDir(baseDir) {
 * Returns immediately on terminal states (done/failed).
 */
 function getResetTask(taskId) {
-	const resultFile = `/tmp/openclaw-reset-${taskId}.json`;
+	const resultFile = resetResultFile(taskId);
 	const deadline = Date.now() + 3e4;
 	while (Date.now() < deadline) {
 		if (!node_fs.default.existsSync(resultFile)) {
@@ -1305,65 +2437,750 @@ function sleepSync(ms) {
 	Atomics.wait(arr, 0, 0, ms);
 }
 //#endregion
+//#region src/oss/resolveOssFileMap.ts
+/**
+* Pick an OssFileMap in the order of decreasing specificity:
+*   1. `--oss_file_map=` flag — operator override (manual invocations, tests)
+*   2. `ctx.install.ossFileMap` — new shape (innerapi-driven DoctorCtx)
+*   3. `ctx.resetData.ossFileMap` — legacy shape (sandbox_console push path)
+*
+* Throws when none of the three yields a non-empty map. Empty maps are
+* treated as missing — an empty map is useless downstream and almost always
+* indicates a ctx wiring bug.
+*/
+function resolveOssFileMap(args) {
+	if (args.ossFileMapFlag) return JSON.parse(Buffer.from(args.ossFileMapFlag, "base64").toString("utf-8"));
+	if (args.installOssFileMap && Object.keys(args.installOssFileMap).length > 0) return args.installOssFileMap;
+	if (args.resetDataOssFileMap && Object.keys(args.resetDataOssFileMap).length > 0) return args.resetDataOssFileMap;
+	throw new Error("ossFileMap missing: provide --oss_file_map flag, ctx.install.ossFileMap, or resetData.ossFileMap");
+}
+//#endregion
+//#region src/innerapi/fetchCtx.ts
+/**
+* CLI-side client for studio_server's `openclaw.get_doctor_ctx` inner API.
+*
+* Mirrors the proven pattern in
+* `packages/openclaw/extensions/miaoda/src/shared/innerapi-client.ts`:
+*
+*   - `baseURL` from env `FORCE_AUTHN_INNERAPI_DOMAIN` (injected into every
+*     openclaw sandbox).
+*   - `platform: { enabled, tokenProvider: { type: 'file' } }` — the platform
+*     plugin auto-attaches the sandbox's identity JWT loaded from the
+*     rootfs token file. Same auth that the miaoda extension already uses.
+*   - POST `/api/v1/studio/innerapi/integration_apis/call`
+*     body = { apiName: 'openclaw.get_doctor_ctx', input: {}, bizType: 'openclaw' }
+*     — the server-side APICall dispatches by `apiName` to
+*     `GetDoctorCtxAPICall.Execute` whose `Name()` returns that string.
+*   - Response envelope: { status_code, error_msg?, data: { success, output, ... } }.
+*     `status_code` is a *string* ('0' = success).
+*     Actual DoctorCtx lives in `data.output`.
+*   - `x-tt-logid` header is logged on every failure path for cross-service
+*     traceability.
+*
+* On HTTP 401 (sandbox identity token expired/invalid) we `process.exit(77)`
+* instead of throwing — the outer catch in `index.ts` cannot then mask auth
+* failure as a generic "Error: ...". Caller (e.g. sandbox_console) sees the
+* exit code and can refresh the token + retry.
+*/
+const INNERAPI_CALL_PATH = "/api/v1/studio/innerapi/integration_apis/call";
+const API_NAME = "openclaw.get_doctor_ctx";
+const BIZ_TYPE = "openclaw";
+const API_TIMEOUT_MS = 3e4;
+const MAX_LOG_BODY = 500;
+let clientInstance = null;
+function getHttpClient() {
+	if (!clientInstance) {
+		const apiUrl = process.env.FORCE_AUTHN_INNERAPI_DOMAIN;
+		(0, node_assert.default)(apiUrl, "missing env: FORCE_AUTHN_INNERAPI_DOMAIN (openclaw sandbox runtime must expose this)");
+		clientInstance = new _lark_apaas_http_client.HttpClient({
+			baseURL: apiUrl,
+			timeout: API_TIMEOUT_MS,
+			platform: {
+				enabled: true,
+				tokenProvider: { type: "file" }
+			}
+		});
+	}
+	return clientInstance;
+}
+/**
+* Fetch the sandbox's DoctorCtx by calling the innerapi's generic
+* `integration_apis/call` dispatcher with apiName=openclaw.get_doctor_ctx.
+*
+* Throws on HTTP (non-401) / decode / business errors. On 401 calls
+* `process.exit(77)` directly.
+*/
+async function fetchCtxViaInnerApi() {
+	const client = getHttpClient();
+	const body = {
+		apiName: API_NAME,
+		input: {},
+		bizType: BIZ_TYPE
+	};
+	const start = Date.now();
+	const headers = { "Content-Type": "application/json" };
+	const ttEnv = process.env.X_TT_ENV;
+	if (ttEnv) headers["x-tt-env"] = ttEnv;
+	let response;
+	try {
+		response = await client.post(INNERAPI_CALL_PATH, body, { headers });
+	} catch (e) {
+		const durationMs = Date.now() - start;
+		if (e instanceof _lark_apaas_http_client.HttpError && e.response) {
+			const status = e.response.status;
+			const logId = e.response.headers.get("x-tt-logid") ?? "";
+			if (status === 401) {
+				console.error(`[CLI] innerapi 401 (logID: ${logId}) — sandbox identity token expired/invalid; exiting 77`);
+				process.exit(77);
+			}
+			throw new Error(`fetchCtxViaInnerApi HTTP ${status} ${e.response.statusText} (logID: ${logId}, durationMs: ${durationMs})`);
+		}
+		const msg = e instanceof Error ? e.message : String(e);
+		throw new Error(`fetchCtxViaInnerApi network error: ${msg} (durationMs: ${durationMs})`);
+	}
+	const logId = response.headers.get("x-tt-logid") ?? "";
+	const durationMs = Date.now() - start;
+	if (!response.ok) {
+		if (response.status === 401) {
+			console.error(`[CLI] innerapi 401 (logID: ${logId}) — sandbox identity token expired/invalid; exiting 77`);
+			process.exit(77);
+		}
+		let preview = "";
+		try {
+			preview = (await response.text()).slice(0, MAX_LOG_BODY);
+		} catch {}
+		throw new Error(`fetchCtxViaInnerApi HTTP ${response.status} ${response.statusText} (logID: ${logId}, durationMs: ${durationMs})${preview ? ` body=${preview}` : ""}`);
+	}
+	let envelope;
+	try {
+		envelope = await response.json();
+	} catch {
+		throw new Error(`fetchCtxViaInnerApi decode error (logID: ${logId}, durationMs: ${durationMs})`);
+	}
+	if (envelope.status_code !== "0") throw new Error(`fetchCtxViaInnerApi API error (logID: ${logId}, durationMs: ${durationMs}): code=${envelope.status_code}, message=${envelope.error_msg ?? ""}`);
+	if (envelope.data && envelope.data.success === false) throw new Error(`fetchCtxViaInnerApi business error (logID: ${logId}, durationMs: ${durationMs}): ${envelope.error_msg ?? JSON.stringify(envelope.data)}`);
+	const output = envelope.data?.output;
+	if (!output || typeof output !== "object") throw new Error(`fetchCtxViaInnerApi empty/invalid output (logID: ${logId}, durationMs: ${durationMs})`);
+	return output;
+}
+//#endregion
+//#region src/ctx/normalize.ts
+/**
+* Accept raw ctx from any of these sources and produce a uniform view:
+*   - New shape (DoctorCtx): `{ app, install, secrets, reset }` — from innerapi.
+*   - Old shape (ResetInput): `{ configPath, vars, resetData }` — from
+*     sandbox_console push path.
+* Detection is structural: if the top-level has all four new-shape groups we
+* pass through; otherwise we remap from the old shape.
+*
+* Missing fields fall back to safe empty defaults (empty strings / arrays /
+* maps) so every downstream consumer can read e.g. `ctx.app.feishuAppID`
+* without an extra nullish guard.
+*/
+function normalizeCtx(raw) {
+	const r = raw ?? {};
+	if (r.app && typeof r.app === "object" && r.install && typeof r.install === "object" && r.secrets && typeof r.secrets === "object" && r.reset && typeof r.reset === "object") return {
+		app: fillApp(r.app),
+		install: {
+			openclawTag: r.install.openclawTag,
+			ossFileMap: r.install.ossFileMap ?? {}
+		},
+		secrets: {
+			secretsContent: r.secrets.secretsContent ?? "",
+			providerKeyContent: r.secrets.providerKeyContent ?? ""
+		},
+		reset: {
+			templateVars: r.reset.templateVars ?? {},
+			coreBackup: r.reset.coreBackup
+		}
+	};
+	const vars = r.vars ?? {};
+	const resetData = r.resetData ?? {};
+	const repairData = r.repairData ?? {};
+	return {
+		app: fillApp(vars),
+		install: {
+			openclawTag: r.install?.openclawTag ?? r.openclawTag,
+			ossFileMap: r.install?.ossFileMap ?? resetData.ossFileMap ?? r.ossFileMap ?? {}
+		},
+		secrets: {
+			secretsContent: resetData.secretsContent ?? repairData.secretsContent ?? "",
+			providerKeyContent: resetData.providerKeyContent ?? repairData.providerKeyContent ?? ""
+		},
+		reset: {
+			templateVars: resetData.templateVars ?? {},
+			coreBackup: resetData.coreBackup
+		}
+	};
+}
+function fillApp(src) {
+	return {
+		feishuAppID: src.feishuAppID ?? "",
+		feishuAppSecret: src.feishuAppSecret ?? "",
+		teamChatID: typeof src.teamChatID === "string" && src.teamChatID !== "" ? src.teamChatID : void 0,
+		feishuOpenID: src.feishuOpenID ?? "",
+		openClawName: src.openClawName ?? "",
+		gatewayToken: src.gatewayToken ?? "",
+		innerAPIKey: src.innerAPIKey ?? "",
+		baseURL: src.baseURL ?? "",
+		miaodaDomain: src.miaodaDomain ?? "",
+		miaodaOrigin: src.miaodaOrigin ?? "",
+		expectedOrigins: Array.isArray(src.expectedOrigins) ? src.expectedOrigins : []
+	};
+}
+//#endregion
+//#region src/ctx-input.ts
+/**
+* Build legacy Check/Repair/Reset input shapes from a raw ctx object. Shared
+* by both the top-level CLI dispatcher (`index.ts`) and the new `doctor`
+* subcommand (`doctor.ts`), which need identical input synthesis.
+*
+* Behavior:
+*   - If `raw` already carries the legacy `configPath + vars` shape (the one
+*     sandbox_console push emits), it's trusted and returned as-is. This
+*     keeps the existing sandbox_console push contract working.
+*   - Otherwise `raw` is treated as the new-shape DoctorCtx (or anything
+*     structurally close — `normalizeCtx` fills the gaps with safe empties)
+*     and the legacy Vars shape is synthesised using the hardcoded sandbox
+*     path invariants from `paths.ts`.
+*
+* The optional `configPathOverride` lets unit tests point the builder at a
+* tmp file; production callers should leave it undefined so the sandbox
+* invariant from `paths.ts` is used.
+*/
+function buildCheckInput(raw, configPathOverride) {
+	const r = raw ?? {};
+	if (r.configPath && r.vars) {
+		if (configPathOverride) return {
+			...r,
+			configPath: configPathOverride
+		};
+		return r;
+	}
+	const ctx = normalizeCtx(raw);
+	return {
+		configPath: configPathOverride ?? CONFIG_PATH,
+		vars: {
+			feishuAppID: ctx.app.feishuAppID,
+			feishuAppSecret: ctx.app.feishuAppSecret,
+			teamChatID: ctx.app.teamChatID,
+			innerAPIKey: ctx.app.innerAPIKey,
+			gatewayToken: ctx.app.gatewayToken,
+			baseURL: ctx.app.baseURL,
+			expectedOrigins: ctx.app.expectedOrigins,
+			providerFilePath: PROVIDER_FILE_PATH,
+			secretsFilePath: SECRETS_FILE_PATH
+		},
+		templateVars: ctx.reset.templateVars
+	};
+}
+function buildRepairInput(raw, configPathOverride) {
+	const r = raw ?? {};
+	if (r.configPath && r.vars) {
+		if (configPathOverride) return {
+			...r,
+			configPath: configPathOverride
+		};
+		return r;
+	}
+	const ctx = normalizeCtx(raw);
+	return {
+		configPath: configPathOverride ?? CONFIG_PATH,
+		vars: {
+			feishuAppID: ctx.app.feishuAppID,
+			feishuAppSecret: ctx.app.feishuAppSecret,
+			teamChatID: ctx.app.teamChatID,
+			innerAPIKey: ctx.app.innerAPIKey,
+			gatewayToken: ctx.app.gatewayToken,
+			baseURL: ctx.app.baseURL,
+			expectedOrigins: ctx.app.expectedOrigins,
+			providerFilePath: PROVIDER_FILE_PATH,
+			secretsFilePath: SECRETS_FILE_PATH
+		},
+		repairData: {
+			secretsContent: ctx.secrets.secretsContent,
+			providerKeyContent: ctx.secrets.providerKeyContent
+		},
+		templateVars: ctx.reset.templateVars
+	};
+}
+function buildResetInput(raw, configPathOverride) {
+	const r = raw ?? {};
+	if (r.configPath && r.vars && r.resetData) {
+		if (configPathOverride) return {
+			...r,
+			configPath: configPathOverride
+		};
+		return r;
+	}
+	const ctx = normalizeCtx(raw);
+	return {
+		configPath: configPathOverride ?? CONFIG_PATH,
+		vars: {
+			feishuAppID: ctx.app.feishuAppID,
+			feishuAppSecret: ctx.app.feishuAppSecret,
+			teamChatID: ctx.app.teamChatID,
+			innerAPIKey: ctx.app.innerAPIKey,
+			gatewayToken: ctx.app.gatewayToken,
+			baseURL: ctx.app.baseURL,
+			expectedOrigins: ctx.app.expectedOrigins,
+			providerFilePath: PROVIDER_FILE_PATH,
+			secretsFilePath: SECRETS_FILE_PATH
+		},
+		resetData: {
+			templateVars: ctx.reset.templateVars,
+			secretsContent: ctx.secrets.secretsContent,
+			providerKeyContent: ctx.secrets.providerKeyContent,
+			coreBackup: ctx.reset.coreBackup,
+			ossFileMap: ctx.install.ossFileMap,
+			openclawTag: ctx.install.openclawTag
+		}
+	};
+}
+//#endregion
+//#region src/doctor.ts
+async function runDoctor(rawCtx, opts) {
+	if (opts.fix && opts.rules.length > 0) {
+		const repairInput = buildRepairInput(rawCtx, opts.configPath);
+		repairInput.failedRules = opts.rules;
+		repairInput.repairData = {
+			...repairInput.repairData ?? {},
+			restartCommand: ""
+		};
+		return { repair: runRepair(repairInput) };
+	}
+	const check = runCheck(buildCheckInput(rawCtx, opts.configPath));
+	if (!opts.fix) return { failedRules: check.failedRules };
+	const repairInput = buildRepairInput(rawCtx, opts.configPath);
+	repairInput.failedRules = check.failedRules.standard;
+	return {
+		check,
+		repair: runRepair(repairInput)
+	};
+}
+//#endregion
+//#region src/help.ts
+const BIN = "mclaw-diagnose";
+function versionBanner() {
+	return `v0.1.1-alpha.31`;
+}
+const COMMANDS = [
+	{
+		name: "doctor",
+		hidden: false,
+		summary: "Diagnose openclaw config; apply repairs with --fix",
+		help: `USAGE
+  ${BIN} doctor [--fix] [--rule=<key>]...
+DESCRIPTION
+  Fetches DoctorCtx via innerapi, then runs one of three modes depending
+  on the flags. Output is a single JSON object on stdout.
+MODES
+  (no flags)              Check-only. Runs the rule engine against the
+                          sandbox's current openclaw config and returns
+                            { failedRules: { standard, ai, reset } }
+                          No files are mutated. Use this when you just
+                          want to know what's wrong.
+  --fix                   Check + repair-all. First runs the rule engine,
+                          then repairs every failing standard-mode rule.
+                          Returns
+                            { check: {...}, repair: {...} }
+                          Use this as the default "fix everything" action.
+  --fix --rule=<key>...   Targeted repair. Skips the check pass entirely
+                          and runs repair against the listed rule keys
+                          only. Unknown keys are silently ignored.
+                          Returns { repair: {...} } with only those
+                          rules' outcomes. Use this when you already
+                          know which rules need fixing.
+OPTIONS
+  --fix                   Enable repair. See MODES above.
+  --rule=<key>            Repair only this rule key. Repeatable. Only
+                          meaningful together with --fix.
+EXAMPLES
+  ${BIN} doctor                                            # check only
+  ${BIN} doctor --fix                                      # check then repair all
+  ${BIN} doctor --fix --rule=gateway                       # repair 'gateway' only
+  ${BIN} doctor --fix --rule=gateway --rule=jwt_token      # repair multiple
+EXIT CODES
+  0    success
+  1    generic error
+  77   innerapi authentication failed (sandbox JWT expired/invalid)
+`
+	},
+	{
+		name: "check",
+		hidden: true,
+		summary: "Run rule-engine check only",
+		help: `USAGE
+  ${BIN} check [--ctx=<base64>]
+DESCRIPTION
+  Runs the rule engine against the sandbox's current openclaw config and
+  returns { failedRules }. Used by sandbox_console's push-style callers
+  that already own the ctx — end-users should prefer \`doctor\`.
+OPTIONS
+  --ctx=<base64>   Opaque ctx JSON (base64). When absent, fetched from
+                   innerapi (same path as doctor).
+`
+	},
+	{
+		name: "repair",
+		hidden: true,
+		summary: "Apply standard-mode repairs",
+		help: `USAGE
+  ${BIN} repair [--ctx=<base64>]
+DESCRIPTION
+  Runs repair for the failing rules listed inside the ctx's repairData.
+  Intended for sandbox_console's push path — end-users should use
+  \`doctor --fix\` instead.
+OPTIONS
+  --ctx=<base64>   Opaque ctx JSON (base64). When absent, fetched from
+                   innerapi.
+`
+	},
+	{
+		name: "reset",
+		hidden: true,
+		summary: "Re-initialize sandbox via the 9-step reset pipeline",
+		help: `USAGE
+  ${BIN} reset --async  [--ctx=<base64>]
+  ${BIN} reset --worker --task-id=<id> [--ctx=<base64>]
+DESCRIPTION
+  Two-phase pipeline driven asynchronously: the --async invocation spawns
+  a detached worker and returns { taskId } immediately; the --worker
+  invocation (spawned by --async) runs the actual 9 steps and writes
+  progress to /tmp/openclaw-diagnose/reset-<taskId>.json.
+  Poll progress with \`${BIN} get_reset_task --task-id=<id>\`.
+OPTIONS
+  --async           Start a detached worker and return taskId on stdout.
+  --worker          Internal — run the 9-step pipeline (launched by --async).
+  --task-id=<id>    Required with --worker; identifies the progress file.
+  --ctx=<base64>    Opaque ctx JSON; fetched from innerapi when absent.
+`
+	},
+	{
+		name: "get_reset_task",
+		hidden: true,
+		summary: "Poll progress of an async reset task",
+		help: `USAGE
+  ${BIN} get_reset_task --task-id=<id>
+DESCRIPTION
+  Reads /tmp/openclaw-diagnose/reset-<taskId>.json and prints its content
+  as JSON on stdout. Safe to call repeatedly while reset is in progress.
+OPTIONS
+  --task-id=<id>    Required. Matches the id returned by \`reset --async\`.
+`
+	},
+	{
+		name: "install-openclaw",
+		hidden: true,
+		summary: "Download + install the openclaw tarball",
+		help: `USAGE
+  ${BIN} install-openclaw <tag> [--ctx=<base64> | --oss_file_map=<base64>]
+DESCRIPTION
+  Downloads the openclaw@<tag> tgz via the signed OSS URL found in the
+  ctx's install.ossFileMap, extracts it into a tmpfs staging dir, and
+  atomically swaps it into /home/gem/.npm-global/lib/node_modules/openclaw.
+  Used by step 5 of reset.
+ARGUMENTS
+  <tag>                Openclaw version tag, e.g. 2026.4.11.
+OPTIONS
+  --ctx=<base64>       Opaque ctx; ossFileMap is extracted from it.
+  --oss_file_map=...   Pre-built OSS URL map (base64 JSON); skips innerapi
+                       entirely. Wins over --ctx when both provided.
+`
+	},
+	{
+		name: "install-extension",
+		hidden: true,
+		summary: "Install openclaw extension package(s)",
+		help: `USAGE
+  ${BIN} install-extension <tag> (--all | --extension=<name>...) [options]
+DESCRIPTION
+  Downloads + installs one or more openclaw extension tarballs
+  (feishu, miaoda, etc.) into <home_base>/workspace/agent/extensions/,
+  then splices installMetadata into openclaw.json's plugins.installs
+  unless --skip-config-update is passed.
+ARGUMENTS
+  <tag>                Openclaw version tag; extension versions resolved
+                       against the matching manifest.
+OPTIONS
+  --all                Install every extension in the manifest.
+  --extension=<name>   Install a specific extension (repeatable).
+  --home_base=<dir>    Override the /home/gem base (tests).
+  --config_path=<p>    Override the openclaw.json path (tests).
+  --skip-config-update Leave plugins.installs in openclaw.json untouched.
+  --ctx=<base64>       Opaque ctx; see install-openclaw for semantics.
+  --oss_file_map=...   Pre-built OSS URL map (base64 JSON).
+`
+	},
+	{
+		name: "download-resource",
+		hidden: true,
+		summary: "Download + extract a single OSS resource",
+		help: `USAGE
+  ${BIN} download-resource <tag> --role=<role> --name=<name> [--dir=<dir>] [options]
+DESCRIPTION
+  Downloads one resource (template, config asset, etc.) identified by
+  (role, name) from the manifest and extracts/copies it to <dir>.
+ARGUMENTS
+  <tag>                Openclaw version tag.
+OPTIONS
+  --role=<role>        Package role (e.g. template, config).
+  --name=<name>        Package name within the role.
+  --dir=<dir>          Target dir (defaults to dirname(pkg.installPath)).
+  --ctx=<base64>       Opaque ctx; ossFileMap is extracted from it.
+  --oss_file_map=...   Pre-built OSS URL map (base64 JSON).
+`
+	}
+];
+function parseHelpFlags(args) {
+	return {
+		help: args.includes("--help") || args.includes("-h"),
+		expert: args.includes("-x") || args.includes("--expert")
+	};
+}
+/**
+* Render the top-level help to the given stream. When `expert` is true,
+* hidden commands are listed alongside the user-facing ones.
+*/
+function formatTopLevelHelp(expert) {
+	const visible = COMMANDS.filter((c) => !c.hidden);
+	const hidden = COMMANDS.filter((c) => c.hidden);
+	const pad = (s, w) => s + " ".repeat(Math.max(0, w - s.length));
+	const w = Math.max(...COMMANDS.map((c) => c.name.length)) + 2;
+	const lines = [];
+	lines.push(`${BIN} — OpenClaw config diagnose / repair CLI`);
+	lines.push(versionBanner());
+	lines.push("");
+	lines.push("USAGE");
+	lines.push(`  ${BIN} <command> [options]`);
+	lines.push(`  ${BIN} <command> --help       per-command help`);
+	lines.push(`  ${BIN} --help                 this message`);
+	lines.push("");
+	lines.push("COMMANDS");
+	for (const c of visible) lines.push(`  ${pad(c.name, w)}${c.summary}`);
+	if (expert && hidden.length > 0) {
+		lines.push("");
+		lines.push("INTERNAL COMMANDS (revealed by -x)");
+		for (const c of hidden) lines.push(`  ${pad(c.name, w)}${c.summary}`);
+	}
+	lines.push("");
+	return lines.join("\n");
+}
+/** Render per-command help. Returns undefined when the name is unknown. */
+function formatCommandHelp(name) {
+	const cmd = COMMANDS.find((c) => c.name === name);
+	if (!cmd) return void 0;
+	return cmd.help;
+}
+//#endregion
 //#region src/index.ts
 const args = node_process.default.argv.slice(2);
-const mode = args.find((a) => !a.startsWith("--"));
-switch (mode) {
-	case "check":
-	case "repair": {
-		const ctx = args.find((a) => a.startsWith("--ctx="))?.slice(6);
-		if (!ctx) {
-			console.error("Error: --ctx=<base64> is required");
-			node_process.default.exit(1);
+const mode = args.find((a) => !a.startsWith("-"));
+/**
+* Decode `--ctx=<base64>` into an opaque JSON object. Returns undefined when
+* the flag isn't present — the caller decides whether to fall back to the
+* innerapi or to error out.
+*
+* The object's shape is not enforced here; downstream code consumes it via
+* either `normalizeCtx()` (new path) or direct field access for the legacy
+* check/repair/reset contract still used by sandbox_console push.
+*/
+function parseCtxFlag(args) {
+	const ctxArg = args.find((a) => a.startsWith("--ctx="));
+	if (!ctxArg) return void 0;
+	const b64 = ctxArg.slice(6);
+	return JSON.parse(Buffer.from(b64, "base64").toString("utf-8"));
+}
+/**
+* Pull the first non-flag positional after the mode name.
+* (The mode itself is args[0] in the filtered set, so we skip index 0.)
+*/
+function getPositionalTag(args, modeName) {
+	return args.find((a, i) => i > 0 && !a.startsWith("--") && a !== modeName);
+}
+function getFlag(args, name) {
+	const prefix = `--${name}=`;
+	return args.find((a) => a.startsWith(prefix))?.slice(prefix.length);
+}
+function getMultiFlag(args, name) {
+	const prefix = `--${name}=`;
+	return args.filter((a) => a.startsWith(prefix)).map((a) => a.slice(prefix.length));
+}
+async function main() {
+	installStderrMirror();
+	const helpFlags = parseHelpFlags(args);
+	if (mode && helpFlags.help) {
+		const body = formatCommandHelp(mode);
+		if (body) {
+			node_process.default.stdout.write(body);
+			return;
 		}
-		const input = JSON.parse(Buffer.from(ctx, "base64").toString("utf-8"));
-		if (mode === "check") console.log(JSON.stringify(runCheck(input)));
-		else console.log(JSON.stringify(runRepair(input)));
-		break;
-	}
-	case "backup": {
-		const ctx = args.find((a) => a.startsWith("--ctx="))?.slice(6);
-		if (!ctx) {
-			console.error("Error: --ctx=<base64> is required");
-			node_process.default.exit(1);
+		node_process.default.stderr.write(`Unknown command: ${mode}\n\n`);
+		node_process.default.stderr.write(formatTopLevelHelp(helpFlags.expert));
+		node_process.default.exit(1);
+	}
+	if (!mode) {
+		if (helpFlags.help) {
+			node_process.default.stdout.write(formatTopLevelHelp(helpFlags.expert));
+			return;
 		}
-		const input = JSON.parse(Buffer.from(ctx, "base64").toString("utf-8"));
-		console.log(JSON.stringify(runBackup(input)));
-		break;
-	}
-	case "reset":
-		if (args.includes("--async")) {
-			const ctx = args.find((a) => a.startsWith("--ctx="))?.slice(6);
-			if (!ctx) {
-				console.error("Error: --ctx=<base64> is required");
+		node_process.default.stderr.write(formatTopLevelHelp(helpFlags.expert));
+		node_process.default.exit(1);
+	}
+	switch (mode) {
+		case "check":
+		case "repair": {
+			const raw = parseCtxFlag(args) ?? await fetchCtxViaInnerApi();
+			if (mode === "check") console.log(JSON.stringify(runCheck(buildCheckInput(raw))));
+			else console.log(JSON.stringify(runRepair(buildRepairInput(raw))));
+			break;
+		}
+		case "doctor": {
+			const fix = args.includes("--fix");
+			const rules = getMultiFlag(args, "rule");
+			const result = await runDoctor(await fetchCtxViaInnerApi(), {
+				fix,
+				rules
+			});
+			console.log(JSON.stringify(result));
+			break;
+		}
+		case "reset":
+			if (args.includes("--async")) {
+				const ctxArg = args.find((a) => a.startsWith("--ctx="));
+				let ctxBase64;
+				if (ctxArg) ctxBase64 = ctxArg.slice(6);
+				else {
+					const fetched = await fetchCtxViaInnerApi();
+					ctxBase64 = Buffer.from(JSON.stringify(fetched), "utf-8").toString("base64");
+				}
+				console.log(JSON.stringify(startAsyncReset(ctxBase64)));
+			} else if (args.includes("--worker")) {
+				const taskId = args.find((a) => a.startsWith("--task-id="))?.slice(10);
+				if (!taskId) {
+					console.error("Error: --task-id=<id> is required for worker");
+					node_process.default.exit(1);
+				}
+				const resultFile = resetResultFile(taskId);
+				await runReset(buildResetInput(parseCtxFlag(args) ?? await fetchCtxViaInnerApi()), taskId, resultFile);
+			} else {
+				console.error("Usage: reset --async [--ctx=<base64>] | reset --worker --task-id=<id> [--ctx=<base64>]");
 				node_process.default.exit(1);
 			}
-			console.log(JSON.stringify(startAsyncReset(ctx)));
-		} else if (args.includes("--worker")) {
-			const ctx = args.find((a) => a.startsWith("--ctx="))?.slice(6);
+			break;
+		case "get_reset_task": {
 			const taskId = args.find((a) => a.startsWith("--task-id="))?.slice(10);
-			if (!ctx || !taskId) {
-				console.error("Error: --ctx=<base64> and --task-id=<id> are required for worker");
+			if (!taskId) {
+				console.error("Error: --task-id=<id> is required");
 				node_process.default.exit(1);
 			}
-			const resultFile = `/tmp/openclaw-reset-${taskId}.json`;
-			runReset(JSON.parse(Buffer.from(ctx, "base64").toString("utf-8")), taskId, resultFile);
-		} else {
-			console.error("Usage: reset --async --ctx=<base64> | reset --worker --task-id=<id> --ctx=<base64>");
-			node_process.default.exit(1);
+			console.log(JSON.stringify(getResetTask(taskId)));
+			break;
 		}
-		break;
-	case "get_reset_task": {
-		const taskId = args.find((a) => a.startsWith("--task-id="))?.slice(10);
-		if (!taskId) {
-			console.error("Error: --task-id=<id> is required");
-			node_process.default.exit(1);
+		case "install-openclaw": {
+			const tag = getPositionalTag(args, "install-openclaw");
+			if (!tag) {
+				console.error("Usage: install-openclaw <tag> [--ctx=<base64> | --oss_file_map=<base64>]");
+				node_process.default.exit(1);
+			}
+			const ossFileMapFlag = getFlag(args, "oss_file_map");
+			let installOssFileMap;
+			if (!ossFileMapFlag) installOssFileMap = normalizeCtx(parseCtxFlag(args) ?? await fetchCtxViaInnerApi()).install.ossFileMap;
+			await installOpenclaw(tag, resolveOssFileMap({
+				ossFileMapFlag,
+				installOssFileMap
+			}));
+			console.log(JSON.stringify({ ok: true }));
+			break;
+		}
+		case "install-extension": {
+			const tag = getPositionalTag(args, "install-extension");
+			if (!tag) {
+				console.error("Usage: install-extension <tag> (--all | --extension=<name>...) [--home_base=<dir>] [--config_path=<path>] [--skip-config-update] [--ctx=<base64> | --oss_file_map=<base64>]");
+				node_process.default.exit(1);
+			}
+			const all = args.includes("--all");
+			const names = getMultiFlag(args, "extension");
+			const homeBase = getFlag(args, "home_base");
+			const configPath = getFlag(args, "config_path");
+			const skipConfigUpdate = args.includes("--skip-config-update");
+			const ossFileMapFlag = getFlag(args, "oss_file_map");
+			let installOssFileMap;
+			if (!ossFileMapFlag) installOssFileMap = normalizeCtx(parseCtxFlag(args) ?? await fetchCtxViaInnerApi()).install.ossFileMap;
+			await installExtension(tag, resolveOssFileMap({
+				ossFileMapFlag,
+				installOssFileMap
+			}), {
+				all,
+				names: names.length > 0 ? names : void 0,
+				homeBase,
+				configPath,
+				skipConfigUpdate
+			});
+			console.log(JSON.stringify({ ok: true }));
+			break;
 		}
-		console.log(JSON.stringify(getResetTask(taskId)));
-		break;
+		case "download-resource": {
+			const tag = getPositionalTag(args, "download-resource");
+			if (!tag) {
+				console.error("Usage: download-resource <tag> --role=<role> --name=<name> [--dir=<dir>] [--ctx=<base64> | --oss_file_map=<base64>]");
+				node_process.default.exit(1);
+			}
+			const role = getFlag(args, "role");
+			const name = getFlag(args, "name");
+			const dir = getFlag(args, "dir");
+			if (!role || !name) {
+				console.error("Usage: download-resource <tag> --role=<role> --name=<name> [--dir=<dir>]");
+				node_process.default.exit(1);
+			}
+			const ossFileMapFlag = getFlag(args, "oss_file_map");
+			let installOssFileMap;
+			if (!ossFileMapFlag) installOssFileMap = normalizeCtx(parseCtxFlag(args) ?? await fetchCtxViaInnerApi()).install.ossFileMap;
+			await downloadResource(tag, resolveOssFileMap({
+				ossFileMapFlag,
+				installOssFileMap
+			}), {
+				role,
+				name,
+				dir
+			});
+			console.log(JSON.stringify({ ok: true }));
+			break;
+		}
+		default:
+			node_process.default.stderr.write(`Unknown command: ${mode}\n\n`);
+			node_process.default.stderr.write(formatTopLevelHelp(helpFlags.expert));
+			node_process.default.exit(1);
 	}
-	default:
-		console.error("Usage: mclaw-diagnose <check|repair|backup|reset|get_reset_task> [options]");
-		node_process.default.exit(1);
 }
+main().catch((err) => {
+	const msg = err instanceof Error ? err.message : String(err);
+	console.error(`Error: ${msg}`);
+	node_process.default.exit(1);
+});
 //#endregion