@lark-apaas/openclaw-scripts-diagnose-cli 0.1.11 → 0.1.12-alpha.0

package/dist/index.cjs

@@ -52,7 +52,7 @@ node_assert = __toESM(node_assert);
 * it terse and parseable.
 */
 function getVersion() {
-	return "0.1.11";
+	return "0.1.12-alpha.0";
 }
 //#endregion
 //#region src/rule-engine/base.ts
@@ -1546,395 +1546,254 @@ function applyVars(str, entries) {
 	return out;
 }
 //#endregion
-//#region src/rules/agents-md-service-commands.ts
-const SERVICE_COMMAND_REPLACEMENTS = [
-	["`sh scripts/start.sh`", "`bash /opt/force/bin/openclaw_scripts/start.sh`"],
-	["`sh scripts/restart.sh`", "`bash /opt/force/bin/openclaw_scripts/restart.sh`"],
-	["`sh scripts/stop.sh`", "`bash /opt/force/bin/openclaw_scripts/stop.sh`"]
-];
-let AgentsMdServiceCommandsRule = class AgentsMdServiceCommandsRule extends DiagnoseRule {
+//#region src/rules/gateway.ts
+const DEFAULT_PORT = 18789;
+const DEFAULT_MODE = "local";
+const DEFAULT_BIND = "loopback";
+const DEFAULT_AUTH_MODE = "token";
+const DEFAULT_AUTH_TOKEN = {
+	source: "file",
+	provider: "miaoda-secret-provider",
+	id: "/gateway_auth_token"
+};
+/** Required entries in gateway.trustedProxies. Repair appends any missing
+*  entries while preserving caller-added extras (no overwrite). */
+const DEFAULT_TRUSTED_PROXIES = ["::1", "127.0.0.1"];
+let GatewayRule = class GatewayRule extends DiagnoseRule {
 	validate(ctx) {
-		const agentsMdPath = collectExistingAgentsMdPaths(ctx).find((filePath) => {
-			return hasOldServiceCommands(node_fs.default.readFileSync(filePath, "utf-8"));
-		});
-		if (!agentsMdPath) return { pass: true };
-		return {
+		const gateway = ctx.config.gateway;
+		if (!gateway || typeof gateway !== "object") return {
 			pass: false,
-			message: `${agentsMdPath} 中存在旧版服务命令，需要改为 /opt/force/bin/openclaw_scripts 路径`
+			message: "gateway not found"
+		};
+		const gw = gateway;
+		if (gw.port !== DEFAULT_PORT) return {
+			pass: false,
+			message: "gateway.port mismatch: got " + gw.port + ", expected 18789"
+		};
+		if (gw.mode !== DEFAULT_MODE) return {
+			pass: false,
+			message: "gateway.mode mismatch: got " + gw.mode + ", expected local"
+		};
+		if (gw.bind !== DEFAULT_BIND) return {
+			pass: false,
+			message: "gateway.bind mismatch: got " + gw.bind + ", expected loopback"
+		};
+		const auth = gw.auth;
+		if (!auth || typeof auth !== "object") return {
+			pass: false,
+			message: "gateway.auth not found"
+		};
+		const authObj = auth;
+		if (authObj.mode !== DEFAULT_AUTH_MODE) return {
+			pass: false,
+			message: "gateway.auth.mode mismatch: got " + authObj.mode + ", expected token"
+		};
+		const token = authObj.token;
+		if (typeof token === "string") {
+			if (token !== ctx.vars.gatewayToken) return {
+				pass: false,
+				message: "gateway.auth.token string value mismatch"
+			};
+		} else if (typeof token === "object" && token !== null && !Array.isArray(token)) {
+			if (!matchMap(token, DEFAULT_AUTH_TOKEN)) return {
+				pass: false,
+				message: "gateway.auth.token object mismatch: got " + JSON.stringify(token)
+			};
+		} else return {
+			pass: false,
+			message: "gateway.auth.token has unexpected type"
+		};
+		const controlUi = gw.controlUi;
+		if (!controlUi || typeof controlUi !== "object") return {
+			pass: false,
+			message: "gateway.controlUi not found"
+		};
+		if (controlUi.dangerouslyDisableDeviceAuth !== true) return {
+			pass: false,
+			message: "gateway.controlUi.dangerouslyDisableDeviceAuth must be true, got " + controlUi.dangerouslyDisableDeviceAuth
+		};
+		const proxies = gw.trustedProxies;
+		if (!Array.isArray(proxies)) return {
+			pass: false,
+			message: "gateway.trustedProxies missing or not an array"
+		};
+		const missing = DEFAULT_TRUSTED_PROXIES.filter((p) => !proxies.includes(p));
+		if (missing.length > 0) return {
+			pass: false,
+			message: "gateway.trustedProxies missing: " + JSON.stringify(missing)
 		};
+		return { pass: true };
 	}
 	repair(ctx) {
-		for (const agentsMdPath of collectExistingAgentsMdPaths(ctx)) {
-			const content = node_fs.default.readFileSync(agentsMdPath, "utf-8");
-			const next = replaceOldServiceCommands(content);
-			if (next !== content) node_fs.default.writeFileSync(agentsMdPath, next, "utf-8");
+		setNestedValue(ctx.config, ["gateway", "port"], DEFAULT_PORT);
+		setNestedValue(ctx.config, ["gateway", "mode"], DEFAULT_MODE);
+		setNestedValue(ctx.config, ["gateway", "bind"], DEFAULT_BIND);
+		setNestedValue(ctx.config, [
+			"gateway",
+			"auth",
+			"mode"
+		], DEFAULT_AUTH_MODE);
+		setNestedValue(ctx.config, [
+			"gateway",
+			"auth",
+			"token"
+		], DEFAULT_AUTH_TOKEN);
+		setNestedValue(ctx.config, [
+			"gateway",
+			"controlUi",
+			"dangerouslyDisableDeviceAuth"
+		], true);
+		const gw = ctx.config.gateway ?? {};
+		const current = Array.isArray(gw.trustedProxies) ? gw.trustedProxies.slice() : [];
+		const seen = new Set(current.map((v) => String(v)));
+		for (const p of DEFAULT_TRUSTED_PROXIES) if (!seen.has(p)) {
+			current.push(p);
+			seen.add(p);
 		}
+		setNestedValue(ctx.config, ["gateway", "trustedProxies"], current);
 	}
 };
-AgentsMdServiceCommandsRule = __decorate([Rule({
-	key: "agents_md_service_commands",
-	description: "检测各智能体 AGENTS.md 中旧版 OpenClaw 服务命令，并替换为 /opt/force/bin/openclaw_scripts 路径",
+GatewayRule = __decorate([Rule({
+	key: "gateway",
+	description: "验证 gateway 必填字段（port、mode、bind、auth、trustedProxies）是否存在且有效；修复缺失或非法值",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
-	level: "silent"
-})], AgentsMdServiceCommandsRule);
-function hasOldServiceCommands(content) {
-	return SERVICE_COMMAND_REPLACEMENTS.some(([oldCmd]) => content.includes(oldCmd));
-}
-function replaceOldServiceCommands(content) {
-	let next = content;
-	for (const [oldCmd, newCmd] of SERVICE_COMMAND_REPLACEMENTS) next = next.split(oldCmd).join(newCmd);
-	return next;
-}
+	level: "critical",
+	usesVars: ["gatewayToken"]
+})], GatewayRule);
 //#endregion
-//#region src/rules/agents-md-resource-constrained-tools.ts
-const RESOURCE_CONSTRAINED_TOOLS_TAG = "resource_constrained_tools";
-const RESOURCE_CONSTRAINED_TOOLS_BLOCK = [
-	"<resource_constrained_tools>",
-	"### Browser tab 管理",
-	"Chrome tab 是沙箱里的**头号资源杀手**：在线上 OpenClaw 集群的 Mem Top10 里占 42%、CPU Top10 里占 70%。下面规则**全部**指 `browser` 工具自身的 action（不是别的 MCP），按\"调用前 / 调用后 / 自查 / 兜底\"四阶段顺序遵守，不要跳。",
-	"#### 调用 `browser action: \"open\"` 之前——必答两问",
-	"1. 我上一次 `open` 的 tab 是否还活着？活着 → 用 `action: \"navigate\"` + 它的 `targetId` 换 URL，**不要新开**。",
-	"2. 完成这次访问后，我下一步能不能立刻 `close`？不能 → 拆小任务，先不开。",
-	"#### 调用 `browser action: \"open\"` 之后——下一个 `browser` 工具调用必须是以下之一",
-	"- `action: \"navigate\"`（带 open 返回的 `targetId`）：复用此 tab 换 URL。",
-	"- `action: \"close\"`（带 open 返回的 `targetId`）：关闭此 tab，任务结束。",
-	"- `action: \"snapshot\"` / `\"click\"` / `\"type\"` 等：仅当**当前任务仍在这个 tab 上推进**时可用；任务做完仍必须显式 `close` 并传 `targetId`。",
-	"**严禁**下面这种序列（线上实测到的 chrome 内存 Top1 故障模式）：",
-	"    BAD:",
-	"      browser(open, url=A) → snapshot",
-	"      → browser(open, url=B) → snapshot",
-	"      → browser(open, url=C) → snapshot",
-	"      → …（任务结束未关）",
-	"      # 每次 open 都新建一个 tab；snapshot 不会关；chrome 堆栈式泄漏。",
-	"应该写成：",
-	"    GOOD:",
-	"      browser(open, url=A) → snapshot",
-	"      → browser(navigate, targetId=t1, url=B) → snapshot",
-	"      → … → browser(close, targetId=t1)",
-	"      # 始终复用同一个 tab；任务结束显式 close。",
-	"#### 异常时止损",
-	"发现 Chrome 卡顿、心跳延迟、沙箱负载升高：先 `close` 所有非活跃 tab；仍不行就让 shell 杀掉 chrome 进程（`pkill -INT chromium-browser` 或等价命令）让它按需重启，**不要**继续开新 tab。",
-	"### FFmpeg / 媒体编码使用限制",
-	"ffmpeg 默认吃满所有 CPU 核心，沙箱只有 1–2 vCPU，一次无约束转码就能拖垮心跳和 Browser。下面的规则**只针对 shell 直接调用的 `ffmpeg` / `ffprobe`**：",
-	"- **优先用 skill：** `skills/video-frames` 等媒体 skill 是已审查过的窄用例，跟着它们的写法走比自己手撸 ffmpeg 安全；只在 skill 不覆盖时才直接 shell `ffmpeg`。注意 `video-frames` 抽中后段帧用 `--time`（demuxer seek，几乎零 CPU）而非 `--index N`（会从头解码 N 帧）。",
-	"- **先 probe 再 encode：** 转码前先 `ffprobe -v error -threads 1 -show_streams -show_format -of json <input>` 拿到时长、码率、编码；能用 `-c copy` 流拷贝就绝不重编码；时长超 1200s 先 `-t` 截断或拒绝任务。",
-	"- **强制限线程：** 必须显式带 `-threads 1`（最多 `-threads 2`），滤镜链追加 `-filter_threads 1 -filter_complex_threads 1`。",
-	"- **软件编码必须 ultrafast：** x264/x265 统一 `-preset ultrafast`，禁止 `medium` 及以上预设；质量不够时降分辨率（`-vf scale=-2:720`）或降帧率（`-r 24`），不要靠提高 preset。",
-	"- **禁止并发 ffmpeg：** 同一沙箱内同时只允许一个 ffmpeg 进程，开下一个前用 `pgrep -x ffmpeg` 确认无残留；禁止 `xargs -P`、禁止循环里并行批处理。",
-	"- **必须前台 + 超时兜底：** 用 `timeout 45 ffmpeg -nostdin -hide_banner -loglevel error ...` 包一层（与上游 `MEDIA_FFMPEG_TIMEOUT_MS` 对齐，最多放宽到 `timeout 90`），ffprobe 用 `timeout 10`；禁止 `&` 后台、禁止 `nohup`，跑飞时必须能 Ctrl-C 打断。",
-	"- **中间产物即用即删：** 临时切片、调色板、`-pass 1` log 等，任务结束或失败时立即 `rm -f`，不要把 `/tmp/*.mp4`、`ffmpeg2pass-*.log` 留到下一个任务。",
-	"- **异常时硬停：** 沙箱变慢、心跳丢失、或 `frame=` 长时间不前进，立即 `pkill -INT ffmpeg`（不行就 `-KILL`）；**不要**重试相同命令，先降分辨率/preset 或改用流拷贝。",
-	"</resource_constrained_tools>"
-].join("\n");
-let AgentsMdResourceConstrainedToolsRule = class AgentsMdResourceConstrainedToolsRule extends DiagnoseRule {
+//#region src/rules/allowed-origins.ts
+let AllowedOriginsRule = class AllowedOriginsRule extends DiagnoseRule {
 	validate(ctx) {
-		const stalePath = collectExistingAgentsMdPaths(ctx).find((filePath) => {
-			return !hasCurrentResourceConstrainedToolsBlock(node_fs.default.readFileSync(filePath, "utf-8"));
-		});
-		if (!stalePath) return { pass: true };
+		const expected = getExpectedOrigins(ctx.vars);
+		if (expected.length === 0) return { pass: true };
+		const current = getCurrentOrigins(ctx.config);
+		if (hasWildcard(current)) return { pass: true };
+		const missing = findMissing(current, expected);
+		if (missing.length === 0) return { pass: true };
 		return {
 			pass: false,
-			message: `${stalePath} 中缺少或存在旧版 resource_constrained_tools，需要更新`
+			message: "allowedOrigins missing: " + JSON.stringify(missing)
 		};
 	}
 	repair(ctx) {
-		for (const filePath of collectExistingAgentsMdPaths(ctx)) {
-			const content = node_fs.default.readFileSync(filePath, "utf-8");
-			const next = upsertResourceConstrainedToolsBlock(content);
-			if (next !== content) node_fs.default.writeFileSync(filePath, next, "utf-8");
+		const expected = getExpectedOrigins(ctx.vars);
+		const current = getCurrentOrigins(ctx.config);
+		if (hasWildcard(current)) return;
+		const missing = findMissing(current, expected);
+		if (missing.length > 0) {
+			const seen = /* @__PURE__ */ new Set();
+			const merged = [];
+			for (const o of current) if (!seen.has(o)) {
+				merged.push(o);
+				seen.add(o);
+			}
+			for (const o of missing) if (!seen.has(o)) {
+				merged.push(o);
+				seen.add(o);
+			}
+			setNestedValue(ctx.config, [
+				"gateway",
+				"controlUi",
+				"allowedOrigins"
+			], merged);
 		}
 	}
 };
-AgentsMdResourceConstrainedToolsRule = __decorate([Rule({
-	key: "agents_md_resource_constrained_tools",
-	description: "检测各智能体 AGENTS.md 中 resource_constrained_tools 规则块，缺失时追加，存在时替换为当前内容",
+AllowedOriginsRule = __decorate([Rule({
+	key: "allowed_origins",
+	description: "确保所有 expectedOrigins 条目都存在于 gateway.auth.allowedOrigins 中；自动追加缺失的条目",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
-	level: "silent"
-})], AgentsMdResourceConstrainedToolsRule);
-function hasCurrentResourceConstrainedToolsBlock(content) {
-	return normalizeForTemplateMatch(content).includes(normalizeForTemplateMatch(RESOURCE_CONSTRAINED_TOOLS_BLOCK));
+	level: "critical",
+	usesVars: ["expectedOrigins"]
+})], AllowedOriginsRule);
+function getExpectedOrigins(vars) {
+	return Array.isArray(vars.expectedOrigins) ? vars.expectedOrigins : [];
 }
-function normalizeForTemplateMatch(content) {
-	return content.replace(/\r\n?/g, "\n").split("\n").map((line) => line.trimEnd()).filter((line) => line.length > 0).join("\n");
+function getCurrentOrigins(config) {
+	const controlUi = getNestedMap(config, "gateway", "controlUi");
+	if (!controlUi) return [];
+	const raw = controlUi.allowedOrigins;
+	if (!Array.isArray(raw)) return [];
+	return raw.filter((o) => typeof o === "string");
 }
-function upsertResourceConstrainedToolsBlock(content) {
-	const tagRe = new RegExp(`<${RESOURCE_CONSTRAINED_TOOLS_TAG}>[\\s\\S]*?</${RESOURCE_CONSTRAINED_TOOLS_TAG}>`);
-	if (tagRe.test(content)) return content.replace(tagRe, RESOURCE_CONSTRAINED_TOOLS_BLOCK);
-	return `${content}${content.length > 0 && !content.endsWith("\n") ? "\n\n" : "\n"}${RESOURCE_CONSTRAINED_TOOLS_BLOCK}\n`;
+function findMissing(current, expected) {
+	const set = new Set(current);
+	return expected.filter((o) => !set.has(o));
+}
+/** Exact "*" entry means allow-all; pattern globs like "https://*.example.com" don't count. */
+function hasWildcard(origins) {
+	return origins.includes("*");
 }
 //#endregion
-//#region src/rules/model-provider.ts
-const DEFAULT_API_KEY = {
-	source: "file",
-	provider: "miaoda-provider",
-	id: "value"
-};
-const DEFAULT_X_API_KEY_HEADER = {
-	source: "file",
-	provider: "miaoda-secret-provider",
-	id: "/models_providers_miaoda_headers_x_api_key"
-};
-const DEFAULT_API = "openai-completions";
-function getExpected(vars) {
-	return {
-		baseUrl: vars.baseURL + "/api/v1/sgw/model/proxy",
-		apiKey: DEFAULT_API_KEY,
-		api: DEFAULT_API,
-		headers: { "x-api-key": DEFAULT_X_API_KEY_HEADER }
-	};
-}
-let ModelProviderRule = class ModelProviderRule extends DiagnoseRule {
-	validate(ctx) {
-		const provider = getNestedMap(ctx.config, "models", "providers", "miaoda");
-		if (!provider) return {
-			pass: false,
-			message: "models.providers.miaoda not found"
-		};
-		const expected = getExpected(ctx.vars);
-		if (provider.baseUrl !== expected.baseUrl) return {
-			pass: false,
-			message: "baseUrl mismatch: got " + provider.baseUrl + ", expected " + expected.baseUrl
-		};
-		const expectedApiKey = expected.apiKey && typeof expected.apiKey === "object" ? expected.apiKey : null;
-		if (expectedApiKey) if (typeof provider.apiKey === "object" && provider.apiKey !== null && !Array.isArray(provider.apiKey)) {
-			if (!matchMap(provider.apiKey, expectedApiKey)) return {
-				pass: false,
-				message: "apiKey object mismatch: got " + JSON.stringify(provider.apiKey)
-			};
-		} else if (typeof provider.apiKey === "string") {
-			if (!isValidJWT(provider.apiKey)) return {
-				pass: false,
-				message: "apiKey is a string but not a valid/unexpired JWT"
-			};
-		} else return {
-			pass: false,
-			message: "apiKey has unexpected type"
-		};
-		if (expected.api !== void 0) {
-			if (provider.api !== expected.api) return {
-				pass: false,
-				message: "api mismatch: got " + provider.api + ", expected " + expected.api
-			};
-		}
-		const expectedHeaders = getNestedMap(expected, "headers");
-		const expectedXApiKey = expectedHeaders ? expectedHeaders["x-api-key"] : void 0;
-		if (expectedXApiKey && typeof expectedXApiKey === "object") {
-			const xKey = (typeof provider.headers === "object" && provider.headers || {})["x-api-key"];
-			if (typeof xKey === "object" && xKey !== null && !Array.isArray(xKey)) {
-				if (!matchMap(xKey, expectedXApiKey)) return {
-					pass: false,
-					message: "headers.x-api-key object mismatch: got " + JSON.stringify(xKey)
-				};
-			} else if (typeof xKey === "string") {
-				if (xKey !== ctx.vars.innerAPIKey) return {
-					pass: false,
-					message: "headers.x-api-key string value mismatch"
-				};
-			} else return {
-				pass: false,
-				message: "headers.x-api-key has unexpected type"
-			};
-		}
-		return { pass: true };
-	}
-	repair(ctx) {
-		const expected = getExpected(ctx.vars);
-		setNestedValue(ctx.config, [
-			"models",
-			"providers",
-			"miaoda",
-			"baseUrl"
-		], expected.baseUrl);
-		if (expected.apiKey !== void 0) setNestedValue(ctx.config, [
-			"models",
-			"providers",
-			"miaoda",
-			"apiKey"
-		], expected.apiKey);
-		if (expected.api !== void 0) setNestedValue(ctx.config, [
-			"models",
-			"providers",
-			"miaoda",
-			"api"
-		], expected.api);
-		if (expected.headers !== void 0) setNestedValue(ctx.config, [
-			"models",
-			"providers",
-			"miaoda",
-			"headers"
-		], expected.headers);
+//#region src/rules/session-persistence.ts
+const DEFAULT_SESSION = {
+	resetByChannel: { feishu: {
+		mode: "idle",
+		idleMinutes: 10080
+	} },
+	maintenance: {
+		mode: "enforce",
+		resetArchiveRetention: "7d",
+		maxDiskBytes: "5GB"
 	}
 };
-ModelProviderRule = __decorate([Rule({
-	key: "model_provider",
-	description: "检查妙搭 model provider 配置项（baseUrl、apiKey、必要 headers）是否存在且格式正确；非妙搭沙箱时跳过",
-	dependsOn: ["config_syntax_check"],
-	repairMode: "standard",
-	level: "critical",
-	usesVars: ["innerAPIKey", "baseURL"],
-	skipWhen: ({ hasMiaoda }) => !hasMiaoda
-})], ModelProviderRule);
-//#endregion
-//#region src/rules/secret-provider.ts
-var _SecretProviderRule;
-let SecretProviderRule = class SecretProviderRule extends DiagnoseRule {
-	static {
-		_SecretProviderRule = this;
-	}
-	static DEFAULT_MIAODA_PROVIDER = {
-		source: "file",
-		path: "/home/gem/workspace/.force/openclaw/miaoda-provider-key",
-		mode: "singleValue"
-	};
-	static DEFAULT_MIAODA_SECRET_PROVIDER = {
-		source: "file",
-		path: "/home/gem/workspace/.force/openclaw/miaoda-openclaw-secrets.json",
-		mode: "json"
-	};
+let SessionPersistenceRule = class SessionPersistenceRule extends DiagnoseRule {
 	validate(ctx) {
-		const providers = getNestedMap(ctx.config, "secrets", "providers");
-		if (!providers) return {
+		const session = getNestedMap(ctx.config, "session");
+		const issues = [];
+		if (!getNestedMap(session, "resetByChannel")) issues.push("session.resetByChannel missing");
+		if (!getNestedMap(session, "maintenance")) issues.push("session.maintenance missing");
+		if (issues.length === 0) return { pass: true };
+		return {
 			pass: false,
-			message: "secrets.providers not found"
+			message: issues.join("; ")
 		};
-		const { mp: expectedMP, msp: expectedMSP } = this.getExpected();
-		if (ctx.providerDeps.usesMiaodaProvider) {
-			const mp = providers["miaoda-provider"];
-			if (!mp || typeof mp !== "object" || !matchMap(mp, expectedMP)) return {
-				pass: false,
-				message: "secrets.providers.miaoda-provider mismatch: got " + JSON.stringify(mp)
-			};
-		}
-		if (ctx.providerDeps.usesMiaodaSecretProvider) {
-			const msp = providers["miaoda-secret-provider"];
-			if (!msp || typeof msp !== "object" || !matchMap(msp, expectedMSP)) return {
-				pass: false,
-				message: "secrets.providers.miaoda-secret-provider mismatch: got " + JSON.stringify(msp)
-			};
-		}
-		return { pass: true };
 	}
 	repair(ctx) {
-		const { mp: expectedMP, msp: expectedMSP } = this.getExpected();
-		if (ctx.providerDeps.usesMiaodaProvider) setNestedValue(ctx.config, [
-			"secrets",
-			"providers",
-			"miaoda-provider"
-		], expectedMP);
-		if (ctx.providerDeps.usesMiaodaSecretProvider) setNestedValue(ctx.config, [
-			"secrets",
-			"providers",
-			"miaoda-secret-provider"
-		], expectedMSP);
-	}
-	getExpected() {
-		return {
-			mp: _SecretProviderRule.DEFAULT_MIAODA_PROVIDER,
-			msp: _SecretProviderRule.DEFAULT_MIAODA_SECRET_PROVIDER
-		};
+		const session = getNestedMap(ctx.config, "session") ?? {};
+		if (!getNestedMap(ctx.config, "session")) ctx.config.session = session;
+		const needsResetByChannel = !getNestedMap(session, "resetByChannel");
+		const needsMaintenance = !getNestedMap(session, "maintenance");
+		if (!needsResetByChannel && !needsMaintenance) return;
+		if (needsResetByChannel) session.resetByChannel = DEFAULT_SESSION.resetByChannel;
+		if (needsMaintenance) session.maintenance = DEFAULT_SESSION.maintenance;
 	}
 };
-SecretProviderRule = _SecretProviderRule = __decorate([Rule({
-	key: "secret_provider",
-	description: "验证 miaoda-provider / miaoda-secret-provider 配置块是否存在且完整；未检测到妙搭 provider 时跳过",
+SessionPersistenceRule = __decorate([Rule({
+	key: "session_persistence",
+	description: "补齐 session.resetByChannel 与 session.maintenance 持久化配置",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
-	level: "critical",
-	skipWhen: ({ hasMiaoda, deps }) => !hasMiaoda || !deps.usesMiaodaProvider && !deps.usesMiaodaSecretProvider
-})], SecretProviderRule);
+	level: "silent"
+})], SessionPersistenceRule);
 //#endregion
-//#region src/rules/feishu-channel.ts
+//#region src/rules/feishu-default-account.ts
 /**
-* Owns `channels.feishu.enabled` + single-agent top-level appId/appSecret.
-* Multi-agent shape (`accounts` present) belongs to `feishu_default_account`.
+* Owns the multi-agent feishu-channel migration: turns legacy v1/v2
+* (top-level appId + defaultAccount/default) into v3 (`bot-<appId>` account),
+* preserving the user's top-level `appId` / `appSecret` verbatim. Once on
+* v3 this rule does not touch account values — the user owns them.
+* Single-agent configs (no `accounts`) are out of scope — handled by
+* `feishu_channel`.
 */
-let FeishuChannelRule = class FeishuChannelRule extends DiagnoseRule {
+/** Top-level `channels.feishu.*` account-policy fields migrated into the main bot. */
+const TOP_FIELDS_TO_MIGRATE = [
+	"dmPolicy",
+	"allowFrom",
+	"groupPolicy",
+	"groupAllowFrom"
+];
+let FeishuDefaultAccountRule = class FeishuDefaultAccountRule extends DiagnoseRule {
 	validate(ctx) {
 		const feishu = getNestedMap(ctx.config, "channels", "feishu");
-		if (!feishu) return {
-			pass: false,
-			message: "channels.feishu not found"
-		};
-		if (feishu.enabled !== true) return {
-			pass: false,
-			message: "channels.feishu.enabled mismatch: got " + feishu.enabled + ", expected true"
-		};
-		if (asRecord(feishu.accounts)) return { pass: true };
-		if (feishu.appId !== ctx.vars.feishuAppID) return {
-			pass: false,
-			message: `channels.feishu.appId mismatch: got ${feishu.appId}, expected ${ctx.vars.feishuAppID}`
-		};
-		const secret = feishu.appSecret;
-		if (typeof secret === "object" && secret !== null && !Array.isArray(secret)) {
-			if (!matchMap(secret, DEFAULT_FEISHU_APP_SECRET)) return {
-				pass: false,
-				message: `channels.feishu.appSecret object mismatch: got ${JSON.stringify(secret)}`
-			};
-		} else if (typeof secret === "string") {
-			if (secret !== ctx.vars.feishuAppSecret) return {
-				pass: false,
-				message: "channels.feishu.appSecret string value mismatch"
-			};
-		} else return {
+		if (!feishu) return { pass: true };
+		if (!asRecord(feishu.accounts)) return { pass: true };
+		if (hasLegacyTopLevel(feishu)) return {
 			pass: false,
-			message: "channels.feishu.appSecret has unexpected type"
-		};
-		return { pass: true };
-	}
-	repair(ctx) {
-		setNestedValue(ctx.config, [
-			"channels",
-			"feishu",
-			"enabled"
-		], true);
-		if (asRecord(getNestedMap(ctx.config, "channels", "feishu").accounts)) return;
-		setNestedValue(ctx.config, [
-			"channels",
-			"feishu",
-			"appId"
-		], ctx.vars.feishuAppID);
-		setNestedValue(ctx.config, [
-			"channels",
-			"feishu",
-			"appSecret"
-		], DEFAULT_FEISHU_APP_SECRET);
-	}
-};
-FeishuChannelRule = __decorate([Rule({
-	key: "feishu_channel",
-	description: "确保 channels.feishu 已启用，且包含单 agent 所需的 appId 和 appSecret 字段",
-	dependsOn: ["config_syntax_check", "feishu_default_account"],
-	repairMode: "standard",
-	level: "critical",
-	usesVars: ["feishuAppID", "feishuAppSecret"]
-})], FeishuChannelRule);
-//#endregion
-//#region src/rules/feishu-default-account.ts
-/**
-* Owns the multi-agent feishu-channel migration: turns legacy v1/v2
-* (top-level appId + defaultAccount/default) into v3 (`bot-<appId>` account),
-* preserving the user's top-level `appId` / `appSecret` verbatim. Once on
-* v3 this rule does not touch account values — the user owns them.
-* Single-agent configs (no `accounts`) are out of scope — handled by
-* `feishu_channel`.
-*/
-/** Top-level `channels.feishu.*` account-policy fields migrated into the main bot. */
-const TOP_FIELDS_TO_MIGRATE = [
-	"dmPolicy",
-	"allowFrom",
-	"groupPolicy",
-	"groupAllowFrom"
-];
-let FeishuDefaultAccountRule = class FeishuDefaultAccountRule extends DiagnoseRule {
-	validate(ctx) {
-		const feishu = getNestedMap(ctx.config, "channels", "feishu");
-		if (!feishu) return { pass: true };
-		if (!asRecord(feishu.accounts)) return { pass: true };
-		if (hasLegacyTopLevel(feishu)) return {
-			pass: false,
-			message: "channels.feishu has legacy shape; needs migration to accounts.bot-<appId>"
+			message: "channels.feishu has legacy shape; needs migration to accounts.bot-<appId>"
 		};
 		return { pass: true };
 	}
@@ -2042,6 +1901,72 @@ function hasLegacyTopLevel(feishu) {
 	return feishu.appSecret !== void 0;
 }
 //#endregion
+//#region src/rules/feishu-channel.ts
+/**
+* Owns `channels.feishu.enabled` + single-agent top-level appId/appSecret.
+* Multi-agent shape (`accounts` present) belongs to `feishu_default_account`.
+*/
+let FeishuChannelRule = class FeishuChannelRule extends DiagnoseRule {
+	validate(ctx) {
+		const feishu = getNestedMap(ctx.config, "channels", "feishu");
+		if (!feishu) return {
+			pass: false,
+			message: "channels.feishu not found"
+		};
+		if (feishu.enabled !== true) return {
+			pass: false,
+			message: "channels.feishu.enabled mismatch: got " + feishu.enabled + ", expected true"
+		};
+		if (asRecord(feishu.accounts)) return { pass: true };
+		if (feishu.appId !== ctx.vars.feishuAppID) return {
+			pass: false,
+			message: `channels.feishu.appId mismatch: got ${feishu.appId}, expected ${ctx.vars.feishuAppID}`
+		};
+		const secret = feishu.appSecret;
+		if (typeof secret === "object" && secret !== null && !Array.isArray(secret)) {
+			if (!matchMap(secret, DEFAULT_FEISHU_APP_SECRET)) return {
+				pass: false,
+				message: `channels.feishu.appSecret object mismatch: got ${JSON.stringify(secret)}`
+			};
+		} else if (typeof secret === "string") {
+			if (secret !== ctx.vars.feishuAppSecret) return {
+				pass: false,
+				message: "channels.feishu.appSecret string value mismatch"
+			};
+		} else return {
+			pass: false,
+			message: "channels.feishu.appSecret has unexpected type"
+		};
+		return { pass: true };
+	}
+	repair(ctx) {
+		setNestedValue(ctx.config, [
+			"channels",
+			"feishu",
+			"enabled"
+		], true);
+		if (asRecord(getNestedMap(ctx.config, "channels", "feishu").accounts)) return;
+		setNestedValue(ctx.config, [
+			"channels",
+			"feishu",
+			"appId"
+		], ctx.vars.feishuAppID);
+		setNestedValue(ctx.config, [
+			"channels",
+			"feishu",
+			"appSecret"
+		], DEFAULT_FEISHU_APP_SECRET);
+	}
+};
+FeishuChannelRule = __decorate([Rule({
+	key: "feishu_channel",
+	description: "确保 channels.feishu 已启用，且包含单 agent 所需的 appId 和 appSecret 字段",
+	dependsOn: ["config_syntax_check", "feishu_default_account"],
+	repairMode: "standard",
+	level: "critical",
+	usesVars: ["feishuAppID", "feishuAppSecret"]
+})], FeishuChannelRule);
+//#endregion
 //#region src/rules/feishu-bot-id.ts
 let FeishuBotIdRule = class FeishuBotIdRule extends DiagnoseRule {
 	validate(ctx) {
@@ -2087,229 +2012,267 @@ function appIdFromAccountId(accountId) {
 	return accountId.slice(4);
 }
 //#endregion
-//#region src/rules/session-persistence.ts
-const DEFAULT_SESSION = {
-	resetByChannel: { feishu: {
-		mode: "idle",
-		idleMinutes: 10080
-	} },
-	maintenance: {
-		mode: "enforce",
-		resetArchiveRetention: "7d",
-		maxDiskBytes: "5GB"
-	}
-};
-let SessionPersistenceRule = class SessionPersistenceRule extends DiagnoseRule {
+//#region src/rules/feishu-accounts-consistency.ts
+/**
+* Detects count/id mismatches in multi-agent feishu channel config.
+* Single-agent configs (no `accounts`) are out of scope — handled by `feishu_channel`.
+*
+* Checks:
+*   1. channels.feishu.accounts count == agents.list count
+*   2. channels.feishu.accounts count == feishu bindings count
+*   3. Main agent's bot account appId == ctx.vars.feishuAppID
+*   4. agents.list id set == bindings agentId set (feishu channel)
+*   5. bindings accountId set (feishu channel) == accounts key set
+*/
+let FeishuAccountsConsistencyRule = class FeishuAccountsConsistencyRule extends DiagnoseRule {
 	validate(ctx) {
-		const session = getNestedMap(ctx.config, "session");
+		const feishu = getNestedMap(ctx.config, "channels", "feishu");
+		if (!feishu) return { pass: true };
+		const accounts = asRecord(feishu.accounts);
+		if (!accounts) return { pass: true };
+		const accountCount = Object.keys(accounts).length;
+		if (accountCount === 0) return { pass: true };
 		const issues = [];
-		if (!getNestedMap(session, "resetByChannel")) issues.push("session.resetByChannel missing");
-		if (!getNestedMap(session, "maintenance")) issues.push("session.maintenance missing");
+		const agentList = getAgentList(ctx.config);
+		const feishuBindings = getFeishuBindings(ctx.config);
+		if (agentList.length > 0 && accountCount !== agentList.length) issues.push(`飞书账号数（${accountCount}）与 agents.list 代理数（${agentList.length}）不一致，两者应相等`);
+		if (feishuBindings.length > 0 && accountCount !== feishuBindings.length) issues.push(`飞书账号数（${accountCount}）与 feishu 类型 bindings 数（${feishuBindings.length}）不一致，两者应相等`);
+		const mainAgent = findMainAgent(ctx.config);
+		const mainId = typeof mainAgent?.id === "string" && mainAgent.id !== "" ? mainAgent.id : feishuBindings.find((b) => asRecord(b)?.agentId === "main") ? "main" : "";
+		if (mainId === "") issues.push("存在多账号配置（channels.feishu.accounts）但无法确定主 agent：agents.list 中没有标记 default:true 或 id:\"main\" 的代理，feishu bindings 中也没有 agentId:\"main\" 的路由");
+		else {
+			const expectedAppId = ctx.vars?.feishuAppID;
+			if (typeof expectedAppId === "string" && expectedAppId !== "") {
+				const mainBinding = feishuBindings.find((b) => asRecord(b)?.agentId === mainId);
+				const mainAccountId = asRecord(asRecord(mainBinding)?.match)?.accountId;
+				if (typeof mainAccountId === "string") {
+					const mainBotAcc = asRecord(accounts[mainAccountId]);
+					if (mainBotAcc && mainBotAcc.appId !== expectedAppId) issues.push(`主 agent（${mainId}）绑定的飞书账号（${mainAccountId}）的 appId 为 "${mainBotAcc.appId}"，与平台下发的 feishuAppID "${expectedAppId}" 不符`);
+				} else if (mainBinding != null) issues.push(`主 agent（${mainId}）的 feishu binding 缺少 match.accountId 字段，无法校验 appId 是否与平台下发的 feishuAppID "${expectedAppId}" 一致`);
+			}
+		}
+		if (agentList.length > 0 && feishuBindings.length > 0) {
+			const agentIds = new Set(agentList.map((a) => asRecord(a)?.id).filter((id) => typeof id === "string"));
+			const bindingAgentIds = new Set(feishuBindings.map((b) => asRecord(b)?.agentId).filter((id) => typeof id === "string"));
+			const missingInBindings = [...agentIds].filter((id) => !bindingAgentIds.has(id));
+			const extraInBindings = [...bindingAgentIds].filter((id) => !agentIds.has(id));
+			if (missingInBindings.length > 0) issues.push(`agent（${missingInBindings.join("、")}）存在于 agents.list 但缺少对应的 feishu binding`);
+			if (extraInBindings.length > 0) issues.push(`binding 引用了 agentId（${extraInBindings.join("、")}），但该 agent 不在 agents.list 中`);
+		}
+		if (feishuBindings.length > 0) {
+			const accountIds = new Set(Object.keys(accounts));
+			const bindingAccountIds = new Set(feishuBindings.map((b) => asRecord(asRecord(b)?.match)?.accountId).filter((id) => typeof id === "string"));
+			const missingInBindings = [...accountIds].filter((id) => !bindingAccountIds.has(id));
+			const extraInBindings = [...bindingAccountIds].filter((id) => !accountIds.has(id));
+			if (missingInBindings.length > 0) issues.push(`飞书账号（${missingInBindings.join("、")}）存在于 channels.feishu.accounts 但没有对应的 feishu binding`);
+			if (extraInBindings.length > 0) issues.push(`binding 引用了 accountId（${extraInBindings.join("、")}），但该账号不在 channels.feishu.accounts 中`);
+		}
 		if (issues.length === 0) return { pass: true };
 		return {
 			pass: false,
-			message: issues.join("; ")
+			message: issues.map((s, i) => `[${i + 1}] ${s}`).join("；")
 		};
 	}
-	repair(ctx) {
-		const session = getNestedMap(ctx.config, "session") ?? {};
-		if (!getNestedMap(ctx.config, "session")) ctx.config.session = session;
-		const needsResetByChannel = !getNestedMap(session, "resetByChannel");
-		const needsMaintenance = !getNestedMap(session, "maintenance");
-		if (!needsResetByChannel && !needsMaintenance) return;
-		if (needsResetByChannel) session.resetByChannel = DEFAULT_SESSION.resetByChannel;
-		if (needsMaintenance) session.maintenance = DEFAULT_SESSION.maintenance;
-	}
 };
-SessionPersistenceRule = __decorate([Rule({
-	key: "session_persistence",
-	description: "补齐 session.resetByChannel 与 session.maintenance 持久化配置",
+FeishuAccountsConsistencyRule = __decorate([Rule({
+	key: "feishu_accounts_consistency",
+	description: "检测多 agent 配置中 channels.feishu.accounts、agents.list 与 feishu bindings 之间的数量/ID 不一致（实验性）",
 	dependsOn: ["config_syntax_check"],
-	repairMode: "standard",
-	level: "silent"
-})], SessionPersistenceRule);
+	repairMode: "check-only",
+	level: "silent",
+	usesVars: ["feishuAppID"],
+	profile: "experimental"
+})], FeishuAccountsConsistencyRule);
+function getAgentList(config) {
+	const agents = getNestedMap(config, "agents");
+	return Array.isArray(agents?.list) ? agents.list : [];
+}
+function getFeishuBindings(config) {
+	if (!Array.isArray(config.bindings)) return [];
+	return config.bindings.filter((b) => {
+		return asRecord(asRecord(b)?.match)?.channel === "feishu";
+	});
+}
 //#endregion
-//#region src/rules/gateway.ts
-const DEFAULT_PORT = 18789;
-const DEFAULT_MODE = "local";
-const DEFAULT_BIND = "loopback";
-const DEFAULT_AUTH_MODE = "token";
-const DEFAULT_AUTH_TOKEN = {
+//#region src/rules/model-provider.ts
+const DEFAULT_API_KEY = {
+	source: "file",
+	provider: "miaoda-provider",
+	id: "value"
+};
+const DEFAULT_X_API_KEY_HEADER = {
 	source: "file",
 	provider: "miaoda-secret-provider",
-	id: "/gateway_auth_token"
+	id: "/models_providers_miaoda_headers_x_api_key"
 };
-/** Required entries in gateway.trustedProxies. Repair appends any missing
-*  entries while preserving caller-added extras (no overwrite). */
-const DEFAULT_TRUSTED_PROXIES = ["::1", "127.0.0.1"];
-let GatewayRule = class GatewayRule extends DiagnoseRule {
+const DEFAULT_API = "openai-completions";
+function getExpected(vars) {
+	return {
+		baseUrl: vars.baseURL + "/api/v1/sgw/model/proxy",
+		apiKey: DEFAULT_API_KEY,
+		api: DEFAULT_API,
+		headers: { "x-api-key": DEFAULT_X_API_KEY_HEADER }
+	};
+}
+let ModelProviderRule = class ModelProviderRule extends DiagnoseRule {
 	validate(ctx) {
-		const gateway = ctx.config.gateway;
-		if (!gateway || typeof gateway !== "object") return {
-			pass: false,
-			message: "gateway not found"
-		};
-		const gw = gateway;
-		if (gw.port !== DEFAULT_PORT) return {
+		const provider = getNestedMap(ctx.config, "models", "providers", "miaoda");
+		if (!provider) return {
 			pass: false,
-			message: "gateway.port mismatch: got " + gw.port + ", expected 18789"
+			message: "models.providers.miaoda not found"
 		};
-		if (gw.mode !== DEFAULT_MODE) return {
+		const expected = getExpected(ctx.vars);
+		if (provider.baseUrl !== expected.baseUrl) return {
 			pass: false,
-			message: "gateway.mode mismatch: got " + gw.mode + ", expected local"
+			message: "baseUrl mismatch: got " + provider.baseUrl + ", expected " + expected.baseUrl
 		};
-		if (gw.bind !== DEFAULT_BIND) return {
-			pass: false,
-			message: "gateway.bind mismatch: got " + gw.bind + ", expected loopback"
-		};
-		const auth = gw.auth;
-		if (!auth || typeof auth !== "object") return {
-			pass: false,
-			message: "gateway.auth not found"
-		};
-		const authObj = auth;
-		if (authObj.mode !== DEFAULT_AUTH_MODE) return {
-			pass: false,
-			message: "gateway.auth.mode mismatch: got " + authObj.mode + ", expected token"
-		};
-		const token = authObj.token;
-		if (typeof token === "string") {
-			if (token !== ctx.vars.gatewayToken) return {
+		const expectedApiKey = expected.apiKey && typeof expected.apiKey === "object" ? expected.apiKey : null;
+		if (expectedApiKey) if (typeof provider.apiKey === "object" && provider.apiKey !== null && !Array.isArray(provider.apiKey)) {
+			if (!matchMap(provider.apiKey, expectedApiKey)) return {
 				pass: false,
-				message: "gateway.auth.token string value mismatch"
+				message: "apiKey object mismatch: got " + JSON.stringify(provider.apiKey)
 			};
-		} else if (typeof token === "object" && token !== null && !Array.isArray(token)) {
-			if (!matchMap(token, DEFAULT_AUTH_TOKEN)) return {
+		} else if (typeof provider.apiKey === "string") {
+			if (!isValidJWT(provider.apiKey)) return {
 				pass: false,
-				message: "gateway.auth.token object mismatch: got " + JSON.stringify(token)
+				message: "apiKey is a string but not a valid/unexpired JWT"
 			};
 		} else return {
 			pass: false,
-			message: "gateway.auth.token has unexpected type"
-		};
-		const controlUi = gw.controlUi;
-		if (!controlUi || typeof controlUi !== "object") return {
-			pass: false,
-			message: "gateway.controlUi not found"
-		};
-		if (controlUi.dangerouslyDisableDeviceAuth !== true) return {
-			pass: false,
-			message: "gateway.controlUi.dangerouslyDisableDeviceAuth must be true, got " + controlUi.dangerouslyDisableDeviceAuth
-		};
-		const proxies = gw.trustedProxies;
-		if (!Array.isArray(proxies)) return {
-			pass: false,
-			message: "gateway.trustedProxies missing or not an array"
-		};
-		const missing = DEFAULT_TRUSTED_PROXIES.filter((p) => !proxies.includes(p));
-		if (missing.length > 0) return {
-			pass: false,
-			message: "gateway.trustedProxies missing: " + JSON.stringify(missing)
+			message: "apiKey has unexpected type"
 		};
+		if (expected.api !== void 0) {
+			if (provider.api !== expected.api) return {
+				pass: false,
+				message: "api mismatch: got " + provider.api + ", expected " + expected.api
+			};
+		}
+		const expectedHeaders = getNestedMap(expected, "headers");
+		const expectedXApiKey = expectedHeaders ? expectedHeaders["x-api-key"] : void 0;
+		if (expectedXApiKey && typeof expectedXApiKey === "object") {
+			const xKey = (typeof provider.headers === "object" && provider.headers || {})["x-api-key"];
+			if (typeof xKey === "object" && xKey !== null && !Array.isArray(xKey)) {
+				if (!matchMap(xKey, expectedXApiKey)) return {
+					pass: false,
+					message: "headers.x-api-key object mismatch: got " + JSON.stringify(xKey)
+				};
+			} else if (typeof xKey === "string") {
+				if (xKey !== ctx.vars.innerAPIKey) return {
+					pass: false,
+					message: "headers.x-api-key string value mismatch"
+				};
+			} else return {
+				pass: false,
+				message: "headers.x-api-key has unexpected type"
+			};
+		}
 		return { pass: true };
 	}
 	repair(ctx) {
-		setNestedValue(ctx.config, ["gateway", "port"], DEFAULT_PORT);
-		setNestedValue(ctx.config, ["gateway", "mode"], DEFAULT_MODE);
-		setNestedValue(ctx.config, ["gateway", "bind"], DEFAULT_BIND);
-		setNestedValue(ctx.config, [
-			"gateway",
-			"auth",
-			"mode"
-		], DEFAULT_AUTH_MODE);
-		setNestedValue(ctx.config, [
-			"gateway",
-			"auth",
-			"token"
-		], DEFAULT_AUTH_TOKEN);
+		const expected = getExpected(ctx.vars);
 		setNestedValue(ctx.config, [
-			"gateway",
-			"controlUi",
-			"dangerouslyDisableDeviceAuth"
-		], true);
-		const gw = ctx.config.gateway ?? {};
-		const current = Array.isArray(gw.trustedProxies) ? gw.trustedProxies.slice() : [];
-		const seen = new Set(current.map((v) => String(v)));
-		for (const p of DEFAULT_TRUSTED_PROXIES) if (!seen.has(p)) {
-			current.push(p);
-			seen.add(p);
-		}
-		setNestedValue(ctx.config, ["gateway", "trustedProxies"], current);
+			"models",
+			"providers",
+			"miaoda",
+			"baseUrl"
+		], expected.baseUrl);
+		if (expected.apiKey !== void 0) setNestedValue(ctx.config, [
+			"models",
+			"providers",
+			"miaoda",
+			"apiKey"
+		], expected.apiKey);
+		if (expected.api !== void 0) setNestedValue(ctx.config, [
+			"models",
+			"providers",
+			"miaoda",
+			"api"
+		], expected.api);
+		if (expected.headers !== void 0) setNestedValue(ctx.config, [
+			"models",
+			"providers",
+			"miaoda",
+			"headers"
+		], expected.headers);
 	}
 };
-GatewayRule = __decorate([Rule({
-	key: "gateway",
-	description: "验证 gateway 必填字段（port、mode、bind、auth、trustedProxies）是否存在且有效；修复缺失或非法值",
+ModelProviderRule = __decorate([Rule({
+	key: "model_provider",
+	description: "检查妙搭 model provider 配置项（baseUrl、apiKey、必要 headers）是否存在且格式正确；非妙搭沙箱时跳过",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
 	level: "critical",
-	usesVars: ["gatewayToken"]
-})], GatewayRule);
+	usesVars: ["innerAPIKey", "baseURL"],
+	skipWhen: ({ hasMiaoda }) => !hasMiaoda
+})], ModelProviderRule);
 //#endregion
-//#region src/rules/allowed-origins.ts
-let AllowedOriginsRule = class AllowedOriginsRule extends DiagnoseRule {
+//#region src/rules/secret-provider.ts
+var _SecretProviderRule;
+let SecretProviderRule = class SecretProviderRule extends DiagnoseRule {
+	static {
+		_SecretProviderRule = this;
+	}
+	static DEFAULT_MIAODA_PROVIDER = {
+		source: "file",
+		path: "/home/gem/workspace/.force/openclaw/miaoda-provider-key",
+		mode: "singleValue"
+	};
+	static DEFAULT_MIAODA_SECRET_PROVIDER = {
+		source: "file",
+		path: "/home/gem/workspace/.force/openclaw/miaoda-openclaw-secrets.json",
+		mode: "json"
+	};
 	validate(ctx) {
-		const expected = getExpectedOrigins(ctx.vars);
-		if (expected.length === 0) return { pass: true };
-		const current = getCurrentOrigins(ctx.config);
-		if (hasWildcard(current)) return { pass: true };
-		const missing = findMissing(current, expected);
-		if (missing.length === 0) return { pass: true };
-		return {
+		const providers = getNestedMap(ctx.config, "secrets", "providers");
+		if (!providers) return {
 			pass: false,
-			message: "allowedOrigins missing: " + JSON.stringify(missing)
+			message: "secrets.providers not found"
 		};
+		const { mp: expectedMP, msp: expectedMSP } = this.getExpected();
+		if (ctx.providerDeps.usesMiaodaProvider) {
+			const mp = providers["miaoda-provider"];
+			if (!mp || typeof mp !== "object" || !matchMap(mp, expectedMP)) return {
+				pass: false,
+				message: "secrets.providers.miaoda-provider mismatch: got " + JSON.stringify(mp)
+			};
+		}
+		if (ctx.providerDeps.usesMiaodaSecretProvider) {
+			const msp = providers["miaoda-secret-provider"];
+			if (!msp || typeof msp !== "object" || !matchMap(msp, expectedMSP)) return {
+				pass: false,
+				message: "secrets.providers.miaoda-secret-provider mismatch: got " + JSON.stringify(msp)
+			};
+		}
+		return { pass: true };
 	}
 	repair(ctx) {
-		const expected = getExpectedOrigins(ctx.vars);
-		const current = getCurrentOrigins(ctx.config);
-		if (hasWildcard(current)) return;
-		const missing = findMissing(current, expected);
-		if (missing.length > 0) {
-			const seen = /* @__PURE__ */ new Set();
-			const merged = [];
-			for (const o of current) if (!seen.has(o)) {
-				merged.push(o);
-				seen.add(o);
-			}
-			for (const o of missing) if (!seen.has(o)) {
-				merged.push(o);
-				seen.add(o);
-			}
-			setNestedValue(ctx.config, [
-				"gateway",
-				"controlUi",
-				"allowedOrigins"
-			], merged);
-		}
+		const { mp: expectedMP, msp: expectedMSP } = this.getExpected();
+		if (ctx.providerDeps.usesMiaodaProvider) setNestedValue(ctx.config, [
+			"secrets",
+			"providers",
+			"miaoda-provider"
+		], expectedMP);
+		if (ctx.providerDeps.usesMiaodaSecretProvider) setNestedValue(ctx.config, [
+			"secrets",
+			"providers",
+			"miaoda-secret-provider"
+		], expectedMSP);
+	}
+	getExpected() {
+		return {
+			mp: _SecretProviderRule.DEFAULT_MIAODA_PROVIDER,
+			msp: _SecretProviderRule.DEFAULT_MIAODA_SECRET_PROVIDER
+		};
 	}
 };
-AllowedOriginsRule = __decorate([Rule({
-	key: "allowed_origins",
-	description: "确保所有 expectedOrigins 条目都存在于 gateway.auth.allowedOrigins 中；自动追加缺失的条目",
+SecretProviderRule = _SecretProviderRule = __decorate([Rule({
+	key: "secret_provider",
+	description: "验证 miaoda-provider / miaoda-secret-provider 配置块是否存在且完整；未检测到妙搭 provider 时跳过",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
 	level: "critical",
-	usesVars: ["expectedOrigins"]
-})], AllowedOriginsRule);
-function getExpectedOrigins(vars) {
-	return Array.isArray(vars.expectedOrigins) ? vars.expectedOrigins : [];
-}
-function getCurrentOrigins(config) {
-	const controlUi = getNestedMap(config, "gateway", "controlUi");
-	if (!controlUi) return [];
-	const raw = controlUi.allowedOrigins;
-	if (!Array.isArray(raw)) return [];
-	return raw.filter((o) => typeof o === "string");
-}
-function findMissing(current, expected) {
-	const set = new Set(current);
-	return expected.filter((o) => !set.has(o));
-}
-/** Exact "*" entry means allow-all; pattern globs like "https://*.example.com" don't count. */
-function hasWildcard(origins) {
-	return origins.includes("*");
-}
+	skipWhen: ({ hasMiaoda, deps }) => !hasMiaoda || !deps.usesMiaodaProvider && !deps.usesMiaodaSecretProvider
+})], SecretProviderRule);
 //#endregion
 //#region src/rules/jwt-token.ts
 let JwtTokenRule = class JwtTokenRule extends DiagnoseRule {
@@ -2438,54 +2401,124 @@ SecretsFileRule = __decorate([Rule({
 	skipWhen: ({ hasMiaoda, deps }) => !hasMiaoda || !deps.usesMiaodaSecretProvider
 })], SecretsFileRule);
 //#endregion
-//#region src/rules/cleanup-install-backup-dirs.ts
-const DIR_PREFIX = ".openclaw-install-";
-function resolveExtensionsDir(configPath) {
-	return node_path.default.join(node_path.default.dirname(configPath), "extensions");
-}
-function findLeftoverDirs(extensionsDir) {
-	if (!fileExists(extensionsDir)) return [];
-	let entries;
-	try {
-		entries = node_fs.default.readdirSync(extensionsDir, { withFileTypes: true });
-	} catch {
-		return [];
-	}
-	return entries.filter((e) => e.isDirectory() && e.name.startsWith(DIR_PREFIX)).map((e) => node_path.default.join(extensionsDir, e.name));
+//#region src/rules/agents-md-service-commands.ts
+const SERVICE_COMMAND_REPLACEMENTS = [
+	["`sh scripts/start.sh`", "`bash /opt/force/bin/openclaw_scripts/start.sh`"],
+	["`sh scripts/restart.sh`", "`bash /opt/force/bin/openclaw_scripts/restart.sh`"],
+	["`sh scripts/stop.sh`", "`bash /opt/force/bin/openclaw_scripts/stop.sh`"]
+];
+let AgentsMdServiceCommandsRule = class AgentsMdServiceCommandsRule extends DiagnoseRule {
+	validate(ctx) {
+		const agentsMdPath = collectExistingAgentsMdPaths(ctx).find((filePath) => {
+			return hasOldServiceCommands(node_fs.default.readFileSync(filePath, "utf-8"));
+		});
+		if (!agentsMdPath) return { pass: true };
+		return {
+			pass: false,
+			message: `${agentsMdPath} 中存在旧版服务命令，需要改为 /opt/force/bin/openclaw_scripts 路径`
+		};
+	}
+	repair(ctx) {
+		for (const agentsMdPath of collectExistingAgentsMdPaths(ctx)) {
+			const content = node_fs.default.readFileSync(agentsMdPath, "utf-8");
+			const next = replaceOldServiceCommands(content);
+			if (next !== content) node_fs.default.writeFileSync(agentsMdPath, next, "utf-8");
+		}
+	}
+};
+AgentsMdServiceCommandsRule = __decorate([Rule({
+	key: "agents_md_service_commands",
+	description: "检测各智能体 AGENTS.md 中旧版 OpenClaw 服务命令，并替换为 /opt/force/bin/openclaw_scripts 路径",
+	dependsOn: ["config_syntax_check"],
+	repairMode: "standard",
+	level: "silent"
+})], AgentsMdServiceCommandsRule);
+function hasOldServiceCommands(content) {
+	return SERVICE_COMMAND_REPLACEMENTS.some(([oldCmd]) => content.includes(oldCmd));
 }
-let CleanupInstallBackupDirsRule = class CleanupInstallBackupDirsRule extends DiagnoseRule {
+function replaceOldServiceCommands(content) {
+	let next = content;
+	for (const [oldCmd, newCmd] of SERVICE_COMMAND_REPLACEMENTS) next = next.split(oldCmd).join(newCmd);
+	return next;
+}
+//#endregion
+//#region src/rules/agents-md-resource-constrained-tools.ts
+const RESOURCE_CONSTRAINED_TOOLS_TAG = "resource_constrained_tools";
+const RESOURCE_CONSTRAINED_TOOLS_BLOCK = [
+	"<resource_constrained_tools>",
+	"### Browser tab 管理",
+	"Chrome tab 是沙箱里的**头号资源杀手**：在线上 OpenClaw 集群的 Mem Top10 里占 42%、CPU Top10 里占 70%。下面规则**全部**指 `browser` 工具自身的 action（不是别的 MCP），按\"调用前 / 调用后 / 自查 / 兜底\"四阶段顺序遵守，不要跳。",
+	"#### 调用 `browser action: \"open\"` 之前——必答两问",
+	"1. 我上一次 `open` 的 tab 是否还活着？活着 → 用 `action: \"navigate\"` + 它的 `targetId` 换 URL，**不要新开**。",
+	"2. 完成这次访问后，我下一步能不能立刻 `close`？不能 → 拆小任务，先不开。",
+	"#### 调用 `browser action: \"open\"` 之后——下一个 `browser` 工具调用必须是以下之一",
+	"- `action: \"navigate\"`（带 open 返回的 `targetId`）：复用此 tab 换 URL。",
+	"- `action: \"close\"`（带 open 返回的 `targetId`）：关闭此 tab，任务结束。",
+	"- `action: \"snapshot\"` / `\"click\"` / `\"type\"` 等：仅当**当前任务仍在这个 tab 上推进**时可用；任务做完仍必须显式 `close` 并传 `targetId`。",
+	"**严禁**下面这种序列（线上实测到的 chrome 内存 Top1 故障模式）：",
+	"    BAD:",
+	"      browser(open, url=A) → snapshot",
+	"      → browser(open, url=B) → snapshot",
+	"      → browser(open, url=C) → snapshot",
+	"      → …（任务结束未关）",
+	"      # 每次 open 都新建一个 tab；snapshot 不会关；chrome 堆栈式泄漏。",
+	"应该写成：",
+	"    GOOD:",
+	"      browser(open, url=A) → snapshot",
+	"      → browser(navigate, targetId=t1, url=B) → snapshot",
+	"      → … → browser(close, targetId=t1)",
+	"      # 始终复用同一个 tab；任务结束显式 close。",
+	"#### 异常时止损",
+	"发现 Chrome 卡顿、心跳延迟、沙箱负载升高：先 `close` 所有非活跃 tab；仍不行就让 shell 杀掉 chrome 进程（`pkill -INT chromium-browser` 或等价命令）让它按需重启，**不要**继续开新 tab。",
+	"### FFmpeg / 媒体编码使用限制",
+	"ffmpeg 默认吃满所有 CPU 核心，沙箱只有 1–2 vCPU，一次无约束转码就能拖垮心跳和 Browser。下面的规则**只针对 shell 直接调用的 `ffmpeg` / `ffprobe`**：",
+	"- **优先用 skill：** `skills/video-frames` 等媒体 skill 是已审查过的窄用例，跟着它们的写法走比自己手撸 ffmpeg 安全；只在 skill 不覆盖时才直接 shell `ffmpeg`。注意 `video-frames` 抽中后段帧用 `--time`（demuxer seek，几乎零 CPU）而非 `--index N`（会从头解码 N 帧）。",
+	"- **先 probe 再 encode：** 转码前先 `ffprobe -v error -threads 1 -show_streams -show_format -of json <input>` 拿到时长、码率、编码；能用 `-c copy` 流拷贝就绝不重编码；时长超 1200s 先 `-t` 截断或拒绝任务。",
+	"- **强制限线程：** 必须显式带 `-threads 1`（最多 `-threads 2`），滤镜链追加 `-filter_threads 1 -filter_complex_threads 1`。",
+	"- **软件编码必须 ultrafast：** x264/x265 统一 `-preset ultrafast`，禁止 `medium` 及以上预设；质量不够时降分辨率（`-vf scale=-2:720`）或降帧率（`-r 24`），不要靠提高 preset。",
+	"- **禁止并发 ffmpeg：** 同一沙箱内同时只允许一个 ffmpeg 进程，开下一个前用 `pgrep -x ffmpeg` 确认无残留；禁止 `xargs -P`、禁止循环里并行批处理。",
+	"- **必须前台 + 超时兜底：** 用 `timeout 45 ffmpeg -nostdin -hide_banner -loglevel error ...` 包一层（与上游 `MEDIA_FFMPEG_TIMEOUT_MS` 对齐，最多放宽到 `timeout 90`），ffprobe 用 `timeout 10`；禁止 `&` 后台、禁止 `nohup`，跑飞时必须能 Ctrl-C 打断。",
+	"- **中间产物即用即删：** 临时切片、调色板、`-pass 1` log 等，任务结束或失败时立即 `rm -f`，不要把 `/tmp/*.mp4`、`ffmpeg2pass-*.log` 留到下一个任务。",
+	"- **异常时硬停：** 沙箱变慢、心跳丢失、或 `frame=` 长时间不前进，立即 `pkill -INT ffmpeg`（不行就 `-KILL`）；**不要**重试相同命令，先降分辨率/preset 或改用流拷贝。",
+	"</resource_constrained_tools>"
+].join("\n");
+let AgentsMdResourceConstrainedToolsRule = class AgentsMdResourceConstrainedToolsRule extends DiagnoseRule {
 	validate(ctx) {
-		const { configPath } = ctx;
-		if (!configPath) return { pass: true };
-		const dirs = findLeftoverDirs(resolveExtensionsDir(configPath));
-		if (dirs.length === 0) return { pass: true };
+		const stalePath = collectExistingAgentsMdPaths(ctx).find((filePath) => {
+			return !hasCurrentResourceConstrainedToolsBlock(node_fs.default.readFileSync(filePath, "utf-8"));
+		});
+		if (!stalePath) return { pass: true };
 		return {
 			pass: false,
-			message: `extensions 目录下发现 ${dirs.length} 个 ${DIR_PREFIX}* 脏目录需要清理`
+			message: `${stalePath} 中缺少或存在旧版 resource_constrained_tools，需要更新`
 		};
 	}
 	repair(ctx) {
-		const { configPath } = ctx;
-		if (!configPath) return;
-		const dirs = findLeftoverDirs(resolveExtensionsDir(configPath));
-		const failures = [];
-		for (const dir of dirs) try {
-			node_fs.default.rmSync(dir, {
-				recursive: true,
-				force: true
-			});
-		} catch (e) {
-			failures.push(`${node_path.default.basename(dir)}: ${e.message}`);
+		for (const filePath of collectExistingAgentsMdPaths(ctx)) {
+			const content = node_fs.default.readFileSync(filePath, "utf-8");
+			const next = upsertResourceConstrainedToolsBlock(content);
+			if (next !== content) node_fs.default.writeFileSync(filePath, next, "utf-8");
 		}
-		if (dirs.length > 0 && failures.length === dirs.length) throw new Error(`cleanup_install_backup_dirs: 全部清理失败: ${failures.join("; ")}`);
 	}
 };
-CleanupInstallBackupDirsRule = __decorate([Rule({
-	key: "cleanup_install_backup_dirs",
-	description: "清理 extensions/ 目录中升级中断遗留的 .openclaw-install-stage-* 和 .openclaw-install-backups/ 脏目录",
+AgentsMdResourceConstrainedToolsRule = __decorate([Rule({
+	key: "agents_md_resource_constrained_tools",
+	description: "检测各智能体 AGENTS.md 中 resource_constrained_tools 规则块，缺失时追加，存在时替换为当前内容",
+	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
-	level: "critical"
-})], CleanupInstallBackupDirsRule);
+	level: "silent"
+})], AgentsMdResourceConstrainedToolsRule);
+function hasCurrentResourceConstrainedToolsBlock(content) {
+	return normalizeForTemplateMatch(content).includes(normalizeForTemplateMatch(RESOURCE_CONSTRAINED_TOOLS_BLOCK));
+}
+function normalizeForTemplateMatch(content) {
+	return content.replace(/\r\n?/g, "\n").split("\n").map((line) => line.trimEnd()).filter((line) => line.length > 0).join("\n");
+}
+function upsertResourceConstrainedToolsBlock(content) {
+	const tagRe = new RegExp(`<${RESOURCE_CONSTRAINED_TOOLS_TAG}>[\\s\\S]*?</${RESOURCE_CONSTRAINED_TOOLS_TAG}>`);
+	if (tagRe.test(content)) return content.replace(tagRe, RESOURCE_CONSTRAINED_TOOLS_BLOCK);
+	return `${content}${content.length > 0 && !content.endsWith("\n") ? "\n\n" : "\n"}${RESOURCE_CONSTRAINED_TOOLS_BLOCK}\n`;
+}
 //#endregion
 //#region src/rules/miaoda-official-plugins-install-spec-unlock.ts
 /**
@@ -2545,73 +2578,47 @@ MiaodaOfficialPluginsInstallSpecUnlockRule = __decorate([Rule({
 	level: "silent"
 })], MiaodaOfficialPluginsInstallSpecUnlockRule);
 //#endregion
-//#region src/rules/old-miaoda-plugins-cleanup.ts
-const NEW_MIAODA = "openclaw-extension-miaoda";
-const OLD_PLUGIN_NAMES = Object.freeze([
-	"openclaw-feishu-greeting",
-	"openclaw-miaoda-keepalive",
-	"feishu-greeting",
-	"miaoda-keepalive"
-]);
-function getPluginMaps(config) {
-	const rawAllow = asRecord(config.plugins)?.allow;
-	return {
-		entries: getNestedMap(config, "plugins", "entries"),
-		installs: getNestedMap(config, "plugins", "installs"),
-		allow: Array.isArray(rawAllow) ? rawAllow : void 0
-	};
-}
-function hasNewMiaoda({ entries, installs, allow }) {
-	return asRecord(entries?.[NEW_MIAODA]) != null || asRecord(installs?.[NEW_MIAODA]) != null || (allow?.includes(NEW_MIAODA) ?? false);
-}
-function findResiduals({ entries, installs, allow }, extensionsDir) {
-	return OLD_PLUGIN_NAMES.filter((name) => entries?.[name] != null || installs?.[name] != null || (allow?.includes(name) ?? false) || node_fs.default.existsSync(node_path.default.join(extensionsDir, name)));
-}
-let OldMiaodaPluginsCleanupRule = class OldMiaodaPluginsCleanupRule extends DiagnoseRule {
+//#region src/rules/miaoda-plugin-allow.ts
+const MIAODA_PLUGIN = "openclaw-extension-miaoda";
+let MiaodaPluginAllowRule = class MiaodaPluginAllowRule extends DiagnoseRule {
 	validate(ctx) {
-		const maps = getPluginMaps(ctx.config);
-		if (!hasNewMiaoda(maps)) return { pass: true };
-		const residuals = findResiduals(maps, getExtensionsDir(ctx.configPath));
-		if (residuals.length === 0) return { pass: true };
+		if (!isPluginInstalledOnDisk(getExtensionsDir(ctx.configPath), MIAODA_PLUGIN)) return { pass: true };
+		if (getAllow$1(ctx.config).includes(MIAODA_PLUGIN)) return { pass: true };
 		return {
 			pass: false,
-			message: "旧 miaoda 插件残留: " + residuals.sort().join(",")
+			message: `plugins.allow 缺少 ${MIAODA_PLUGIN}（已在 extensions/ 下装但未启用）`
 		};
 	}
 	repair(ctx) {
-		const maps = getPluginMaps(ctx.config);
-		if (!hasNewMiaoda(maps)) return;
-		const extensionsDir = getExtensionsDir(ctx.configPath);
-		const { entries, installs, allow } = maps;
-		const oldSet = new Set(OLD_PLUGIN_NAMES);
-		if (allow) for (let i = allow.length - 1; i >= 0; i--) {
-			const v = allow[i];
-			if (typeof v === "string" && oldSet.has(v)) allow.splice(i, 1);
-		}
-		for (const name of OLD_PLUGIN_NAMES) {
-			if (entries && name in entries) delete entries[name];
-			if (installs && name in installs) delete installs[name];
-			const target = node_path.default.join(extensionsDir, name);
-			const rel = node_path.default.relative(extensionsDir, target);
-			if (!rel || rel.startsWith("..") || node_path.default.isAbsolute(rel)) continue;
-			try {
-				node_fs.default.rmSync(target, {
-					recursive: true,
-					force: true
-				});
-			} catch (e) {
-				console.error(`[old_miaoda_plugins_cleanup] rmSync ${target} failed: ${e.message}`);
-			}
+		if (!isPluginInstalledOnDisk(getExtensionsDir(ctx.configPath), MIAODA_PLUGIN)) return;
+		const plugins = ctx.config.plugins;
+		if (plugins == null || typeof plugins !== "object" || Array.isArray(plugins)) {
+			ctx.config.plugins = { allow: [MIAODA_PLUGIN] };
+			return;
 		}
+		const pluginsMap = plugins;
+		const rawAllow = pluginsMap.allow;
+		const allow = Array.isArray(rawAllow) ? rawAllow : [];
+		if (allow.includes(MIAODA_PLUGIN)) return;
+		allow.push(MIAODA_PLUGIN);
+		pluginsMap.allow = allow;
 	}
 };
-OldMiaodaPluginsCleanupRule = __decorate([Rule({
-	key: "old_miaoda_plugins_cleanup",
-	description: "当新版 openclaw-extension-miaoda 已存在时，清理过时插件引用（openclaw-feishu-greeting、openclaw-miaoda-keepalive 等）",
+MiaodaPluginAllowRule = __decorate([Rule({
+	key: "miaoda_plugin_allow",
+	description: "当 openclaw-extension-miaoda 已在磁盘安装但未在 allow 列表中时，将其添加到 plugins.allow（实验性）",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
-	level: "silent"
-})], OldMiaodaPluginsCleanupRule);
+	level: "critical",
+	profile: "standard"
+})], MiaodaPluginAllowRule);
+function getAllow$1(config) {
+	const plugins = config.plugins;
+	if (plugins == null || typeof plugins !== "object" || Array.isArray(plugins)) return [];
+	const allow = plugins.allow;
+	if (!Array.isArray(allow)) return [];
+	return allow.filter((e) => typeof e === "string");
+}
 //#endregion
 //#region src/rules/lark-plugin-allow.ts
 const LARK_PLUGIN = "openclaw-lark";
@@ -2619,7 +2626,7 @@ const LEGACY_LARK_PLUGIN = "feishu-openclaw-plugin";
 const LARK_PLUGIN_NAMES$1 = [LARK_PLUGIN, LEGACY_LARK_PLUGIN];
 let LarkPluginAllowRule = class LarkPluginAllowRule extends DiagnoseRule {
 	validate(ctx) {
-		const allow = getAllow$1(ctx.config);
+		const allow = getAllow(ctx.config);
 		if (LARK_PLUGIN_NAMES$1.some((name) => allow.includes(name))) return { pass: true };
 		const installed = detectInstalledLarkPlugin(getExtensionsDir(ctx.configPath));
 		if (installed == null) return { pass: true };
@@ -2651,7 +2658,7 @@ LarkPluginAllowRule = __decorate([Rule({
 	repairMode: "standard",
 	level: "critical"
 })], LarkPluginAllowRule);
-function getAllow$1(config) {
+function getAllow(config) {
 	const plugins = config.plugins;
 	if (plugins == null || typeof plugins !== "object" || Array.isArray(plugins)) return [];
 	const allow = plugins.allow;
@@ -2675,47 +2682,73 @@ function pluginPackageJsonExists(extDir, pluginDir) {
 	}
 }
 //#endregion
-//#region src/rules/miaoda-plugin-allow.ts
-const MIAODA_PLUGIN = "openclaw-extension-miaoda";
-let MiaodaPluginAllowRule = class MiaodaPluginAllowRule extends DiagnoseRule {
+//#region src/rules/old-miaoda-plugins-cleanup.ts
+const NEW_MIAODA = "openclaw-extension-miaoda";
+const OLD_PLUGIN_NAMES = Object.freeze([
+	"openclaw-feishu-greeting",
+	"openclaw-miaoda-keepalive",
+	"feishu-greeting",
+	"miaoda-keepalive"
+]);
+function getPluginMaps(config) {
+	const rawAllow = asRecord(config.plugins)?.allow;
+	return {
+		entries: getNestedMap(config, "plugins", "entries"),
+		installs: getNestedMap(config, "plugins", "installs"),
+		allow: Array.isArray(rawAllow) ? rawAllow : void 0
+	};
+}
+function hasNewMiaoda({ entries, installs, allow }) {
+	return asRecord(entries?.[NEW_MIAODA]) != null || asRecord(installs?.[NEW_MIAODA]) != null || (allow?.includes(NEW_MIAODA) ?? false);
+}
+function findResiduals({ entries, installs, allow }, extensionsDir) {
+	return OLD_PLUGIN_NAMES.filter((name) => entries?.[name] != null || installs?.[name] != null || (allow?.includes(name) ?? false) || node_fs.default.existsSync(node_path.default.join(extensionsDir, name)));
+}
+let OldMiaodaPluginsCleanupRule = class OldMiaodaPluginsCleanupRule extends DiagnoseRule {
 	validate(ctx) {
-		if (!isPluginInstalledOnDisk(getExtensionsDir(ctx.configPath), MIAODA_PLUGIN)) return { pass: true };
-		if (getAllow(ctx.config).includes(MIAODA_PLUGIN)) return { pass: true };
+		const maps = getPluginMaps(ctx.config);
+		if (!hasNewMiaoda(maps)) return { pass: true };
+		const residuals = findResiduals(maps, getExtensionsDir(ctx.configPath));
+		if (residuals.length === 0) return { pass: true };
 		return {
 			pass: false,
-			message: `plugins.allow 缺少 ${MIAODA_PLUGIN}（已在 extensions/ 下装但未启用）`
+			message: "旧 miaoda 插件残留: " + residuals.sort().join(",")
 		};
 	}
 	repair(ctx) {
-		if (!isPluginInstalledOnDisk(getExtensionsDir(ctx.configPath), MIAODA_PLUGIN)) return;
-		const plugins = ctx.config.plugins;
-		if (plugins == null || typeof plugins !== "object" || Array.isArray(plugins)) {
-			ctx.config.plugins = { allow: [MIAODA_PLUGIN] };
-			return;
+		const maps = getPluginMaps(ctx.config);
+		if (!hasNewMiaoda(maps)) return;
+		const extensionsDir = getExtensionsDir(ctx.configPath);
+		const { entries, installs, allow } = maps;
+		const oldSet = new Set(OLD_PLUGIN_NAMES);
+		if (allow) for (let i = allow.length - 1; i >= 0; i--) {
+			const v = allow[i];
+			if (typeof v === "string" && oldSet.has(v)) allow.splice(i, 1);
+		}
+		for (const name of OLD_PLUGIN_NAMES) {
+			if (entries && name in entries) delete entries[name];
+			if (installs && name in installs) delete installs[name];
+			const target = node_path.default.join(extensionsDir, name);
+			const rel = node_path.default.relative(extensionsDir, target);
+			if (!rel || rel.startsWith("..") || node_path.default.isAbsolute(rel)) continue;
+			try {
+				node_fs.default.rmSync(target, {
+					recursive: true,
+					force: true
+				});
+			} catch (e) {
+				console.error(`[old_miaoda_plugins_cleanup] rmSync ${target} failed: ${e.message}`);
+			}
 		}
-		const pluginsMap = plugins;
-		const rawAllow = pluginsMap.allow;
-		const allow = Array.isArray(rawAllow) ? rawAllow : [];
-		if (allow.includes(MIAODA_PLUGIN)) return;
-		allow.push(MIAODA_PLUGIN);
-		pluginsMap.allow = allow;
 	}
 };
-MiaodaPluginAllowRule = __decorate([Rule({
-	key: "miaoda_plugin_allow",
-	description: "当 openclaw-extension-miaoda 已在磁盘安装但未在 allow 列表中时，将其添加到 plugins.allow（实验性）",
+OldMiaodaPluginsCleanupRule = __decorate([Rule({
+	key: "old_miaoda_plugins_cleanup",
+	description: "当新版 openclaw-extension-miaoda 已存在时，清理过时插件引用（openclaw-feishu-greeting、openclaw-miaoda-keepalive 等）",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
-	level: "critical",
-	profile: "standard"
-})], MiaodaPluginAllowRule);
-function getAllow(config) {
-	const plugins = config.plugins;
-	if (plugins == null || typeof plugins !== "object" || Array.isArray(plugins)) return [];
-	const allow = plugins.allow;
-	if (!Array.isArray(allow)) return [];
-	return allow.filter((e) => typeof e === "string");
-}
+	level: "silent"
+})], OldMiaodaPluginsCleanupRule);
 //#endregion
 //#region src/rules/builtin-plugin-missing.ts
 /**
@@ -3473,87 +3506,54 @@ function extractScopedNameFromSpec(spec) {
 	return at === -1 ? spec : spec.slice(0, at);
 }
 //#endregion
-//#region src/rules/feishu-accounts-consistency.ts
-/**
-* Detects count/id mismatches in multi-agent feishu channel config.
-* Single-agent configs (no `accounts`) are out of scope — handled by `feishu_channel`.
-*
-* Checks:
-*   1. channels.feishu.accounts count == agents.list count
-*   2. channels.feishu.accounts count == feishu bindings count
-*   3. Main agent's bot account appId == ctx.vars.feishuAppID
-*   4. agents.list id set == bindings agentId set (feishu channel)
-*   5. bindings accountId set (feishu channel) == accounts key set
-*/
-let FeishuAccountsConsistencyRule = class FeishuAccountsConsistencyRule extends DiagnoseRule {
+//#region src/rules/cleanup-install-backup-dirs.ts
+const DIR_PREFIX = ".openclaw-install-";
+function resolveExtensionsDir(configPath) {
+	return node_path.default.join(node_path.default.dirname(configPath), "extensions");
+}
+function findLeftoverDirs(extensionsDir) {
+	if (!fileExists(extensionsDir)) return [];
+	let entries;
+	try {
+		entries = node_fs.default.readdirSync(extensionsDir, { withFileTypes: true });
+	} catch {
+		return [];
+	}
+	return entries.filter((e) => e.isDirectory() && e.name.startsWith(DIR_PREFIX)).map((e) => node_path.default.join(extensionsDir, e.name));
+}
+let CleanupInstallBackupDirsRule = class CleanupInstallBackupDirsRule extends DiagnoseRule {
 	validate(ctx) {
-		const feishu = getNestedMap(ctx.config, "channels", "feishu");
-		if (!feishu) return { pass: true };
-		const accounts = asRecord(feishu.accounts);
-		if (!accounts) return { pass: true };
-		const accountCount = Object.keys(accounts).length;
-		if (accountCount === 0) return { pass: true };
-		const issues = [];
-		const agentList = getAgentList(ctx.config);
-		const feishuBindings = getFeishuBindings(ctx.config);
-		if (agentList.length > 0 && accountCount !== agentList.length) issues.push(`飞书账号数（${accountCount}）与 agents.list 代理数（${agentList.length}）不一致，两者应相等`);
-		if (feishuBindings.length > 0 && accountCount !== feishuBindings.length) issues.push(`飞书账号数（${accountCount}）与 feishu 类型 bindings 数（${feishuBindings.length}）不一致，两者应相等`);
-		const mainAgent = findMainAgent(ctx.config);
-		const mainId = typeof mainAgent?.id === "string" && mainAgent.id !== "" ? mainAgent.id : feishuBindings.find((b) => asRecord(b)?.agentId === "main") ? "main" : "";
-		if (mainId === "") issues.push("存在多账号配置（channels.feishu.accounts）但无法确定主 agent：agents.list 中没有标记 default:true 或 id:\"main\" 的代理，feishu bindings 中也没有 agentId:\"main\" 的路由");
-		else {
-			const expectedAppId = ctx.vars?.feishuAppID;
-			if (typeof expectedAppId === "string" && expectedAppId !== "") {
-				const mainBinding = feishuBindings.find((b) => asRecord(b)?.agentId === mainId);
-				const mainAccountId = asRecord(asRecord(mainBinding)?.match)?.accountId;
-				if (typeof mainAccountId === "string") {
-					const mainBotAcc = asRecord(accounts[mainAccountId]);
-					if (mainBotAcc && mainBotAcc.appId !== expectedAppId) issues.push(`主 agent（${mainId}）绑定的飞书账号（${mainAccountId}）的 appId 为 "${mainBotAcc.appId}"，与平台下发的 feishuAppID "${expectedAppId}" 不符`);
-				} else if (mainBinding != null) issues.push(`主 agent（${mainId}）的 feishu binding 缺少 match.accountId 字段，无法校验 appId 是否与平台下发的 feishuAppID "${expectedAppId}" 一致`);
-			}
-		}
-		if (agentList.length > 0 && feishuBindings.length > 0) {
-			const agentIds = new Set(agentList.map((a) => asRecord(a)?.id).filter((id) => typeof id === "string"));
-			const bindingAgentIds = new Set(feishuBindings.map((b) => asRecord(b)?.agentId).filter((id) => typeof id === "string"));
-			const missingInBindings = [...agentIds].filter((id) => !bindingAgentIds.has(id));
-			const extraInBindings = [...bindingAgentIds].filter((id) => !agentIds.has(id));
-			if (missingInBindings.length > 0) issues.push(`agent（${missingInBindings.join("、")}）存在于 agents.list 但缺少对应的 feishu binding`);
-			if (extraInBindings.length > 0) issues.push(`binding 引用了 agentId（${extraInBindings.join("、")}），但该 agent 不在 agents.list 中`);
-		}
-		if (feishuBindings.length > 0) {
-			const accountIds = new Set(Object.keys(accounts));
-			const bindingAccountIds = new Set(feishuBindings.map((b) => asRecord(asRecord(b)?.match)?.accountId).filter((id) => typeof id === "string"));
-			const missingInBindings = [...accountIds].filter((id) => !bindingAccountIds.has(id));
-			const extraInBindings = [...bindingAccountIds].filter((id) => !accountIds.has(id));
-			if (missingInBindings.length > 0) issues.push(`飞书账号（${missingInBindings.join("、")}）存在于 channels.feishu.accounts 但没有对应的 feishu binding`);
-			if (extraInBindings.length > 0) issues.push(`binding 引用了 accountId（${extraInBindings.join("、")}），但该账号不在 channels.feishu.accounts 中`);
-		}
-		if (issues.length === 0) return { pass: true };
+		const { configPath } = ctx;
+		if (!configPath) return { pass: true };
+		const dirs = findLeftoverDirs(resolveExtensionsDir(configPath));
+		if (dirs.length === 0) return { pass: true };
 		return {
 			pass: false,
-			message: issues.map((s, i) => `[${i + 1}] ${s}`).join("；")
+			message: `extensions 目录下发现 ${dirs.length} 个 ${DIR_PREFIX}* 脏目录需要清理`
 		};
 	}
+	repair(ctx) {
+		const { configPath } = ctx;
+		if (!configPath) return;
+		const dirs = findLeftoverDirs(resolveExtensionsDir(configPath));
+		const failures = [];
+		for (const dir of dirs) try {
+			node_fs.default.rmSync(dir, {
+				recursive: true,
+				force: true
+			});
+		} catch (e) {
+			failures.push(`${node_path.default.basename(dir)}: ${e.message}`);
+		}
+		if (dirs.length > 0 && failures.length === dirs.length) throw new Error(`cleanup_install_backup_dirs: 全部清理失败: ${failures.join("; ")}`);
+	}
 };
-FeishuAccountsConsistencyRule = __decorate([Rule({
-	key: "feishu_accounts_consistency",
-	description: "检测多 agent 配置中 channels.feishu.accounts、agents.list 与 feishu bindings 之间的数量/ID 不一致（实验性）",
-	dependsOn: ["config_syntax_check"],
-	repairMode: "check-only",
-	level: "silent",
-	usesVars: ["feishuAppID"],
-	profile: "experimental"
-})], FeishuAccountsConsistencyRule);
-function getAgentList(config) {
-	const agents = getNestedMap(config, "agents");
-	return Array.isArray(agents?.list) ? agents.list : [];
-}
-function getFeishuBindings(config) {
-	if (!Array.isArray(config.bindings)) return [];
-	return config.bindings.filter((b) => {
-		return asRecord(asRecord(b)?.match)?.channel === "feishu";
-	});
-}
+CleanupInstallBackupDirsRule = __decorate([Rule({
+	key: "cleanup_install_backup_dirs",
+	description: "清理 extensions/ 目录中升级中断遗留的 .openclaw-install-stage-* 和 .openclaw-install-backups/ 脏目录",
+	repairMode: "standard",
+	level: "critical"
+})], CleanupInstallBackupDirsRule);
 //#endregion
 //#region src/check.ts
 /** Telemetry-aware entry: returns both the legacy CheckResult (for stdout)
@@ -4325,6 +4325,7 @@ function originOf(raw) {
 //#region src/oss/fetchManifest.ts
 const MANIFEST_PREFIX = "builtin/manifests/openclaw/recommended/";
 const MANIFEST_SUFFIX = ".json";
+const manifestCache = /* @__PURE__ */ new Map();
 async function fetchManifest(ossFileMap, tag) {
 	const key = `${MANIFEST_PREFIX}${tag}${MANIFEST_SUFFIX}`;
 	const url = ossFileMap[key];
@@ -4333,13 +4334,17 @@ async function fetchManifest(ossFileMap, tag) {
 		const availStr = available.length ? available.join(", ") : "(none)";
 		throw new Error(`manifest signed URL missing for tag "${tag}" (key ${key}). Available tags in ossFileMap: ${availStr}. Either pass an available tag or update the studio_server TCC openclaw_upgrade_config supported_versions.`);
 	}
+	const cached = manifestCache.get(url);
+	if (cached) return cached;
 	const label = `openclaw manifest tag=${tag}`;
 	const res = await fetchWithDiag(url, { label });
 	if (!res.ok) {
 		const body = await readPreview(res);
 		throw new Error(`${label}: HTTP ${res.status} ${res.statusText}` + (body ? ` body=${body}` : ""));
 	}
-	return await res.json();
+	const manifest = await res.json();
+	manifestCache.set(url, manifest);
+	return manifest;
 }
 /** Best-effort body preview for HTTP-error diagnostics. OSS errors are
 *  XML; first 256 chars usually contain the <Code> + <Message> we care
@@ -4498,6 +4503,7 @@ async function installExtension(tag, ossFileMap, opts = {}) {
 	console.error(`[install-extension] done ${targets.length}/${targets.length} in ${Date.now() - t0}ms`);
 }
 const MEM0_PLUGIN_NAME = "openclaw-mem0-plugin";
+const PLUGINS_TO_AUTO_ENABLE = ["openclaw-lark", "openclaw-extension-miaoda"];
 /**
 * Merge each installed extension's installMetadata into openclaw.json's
 * plugins.installs[<pkg.name>]. Atomic write via tmp + rename.
@@ -4538,6 +4544,18 @@ function updatePluginInstalls(configPath, installedPkgs) {
 		const entries = plugins.entries;
 		if (!(MEM0_PLUGIN_NAME in entries)) entries[MEM0_PLUGIN_NAME] = { enabled: false };
 	}
+	for (const pkg of installedPkgs) {
+		if (!PLUGINS_TO_AUTO_ENABLE.includes(pkg.name)) continue;
+		if (!Array.isArray(plugins.allow)) plugins.allow = [];
+		const allow = plugins.allow;
+		if (!allow.includes(pkg.name)) allow.push(pkg.name);
+		if (!plugins.entries || typeof plugins.entries !== "object" || Array.isArray(plugins.entries)) plugins.entries = {};
+		const entries = plugins.entries;
+		entries[pkg.name] = {
+			...asRecord(entries[pkg.name]) ?? {},
+			enabled: true
+		};
+	}
 	const tmpPath = configPath + ".installs-tmp";
 	node_fs.default.writeFileSync(tmpPath, JSON.stringify(config, null, 2), "utf-8");
 	moveSafe(tmpPath, configPath);
@@ -4574,1117 +4592,604 @@ function installOne$1(pkg, tarball, homeBase) {
 	});
 }
 //#endregion
-//#region src/download-resource.ts
-/**
-* Download + extract a config/template package to its install destination.
-*
-* Current manifest has all resources as format=tgz with content at the root
-* (config: openclaw.json file at root; template: scripts/ dir at root), so we
-* always `tar -xzf` without --strip-components into `dirname(fullInstallPath)`.
-* The final artefact ends up at exactly `homeBase + pkg.installPath`.
-*/
-async function downloadResource(tag, ossFileMap, opts) {
-	const homeBase = resolveHomeBase(opts.homeBase);
-	const pkg = (await fetchManifest(ossFileMap, tag)).packages.find((p) => p.role === opts.role && p.name === opts.name);
-	if (!pkg) throw new Error(`download-resource: not found in manifest: role=${opts.role} name=${opts.name}`);
-	const file = await downloadWithCache(pkg, ossFileMap, opts);
-	const fullInstallPath = node_path.default.join(homeBase, pkg.installPath);
-	const extractDir = opts.dir ?? node_path.default.dirname(fullInstallPath);
-	node_fs.default.mkdirSync(extractDir, { recursive: true });
-	const format = (pkg.format ?? "").toLowerCase();
-	const lower = pkg.ossKey.toLowerCase();
-	if (format === "tgz" || lower.endsWith(".tgz") || lower.endsWith(".tar.gz")) {
-		extractTarballTolerant(file, extractDir);
-		console.error(`[download-resource] ${opts.role}/${opts.name}: extracted to ${extractDir}`);
-	} else {
-		const basename = node_path.default.posix.basename(pkg.ossKey);
-		node_fs.default.copyFileSync(file, node_path.default.join(extractDir, basename));
-		console.error(`[download-resource] ${opts.role}/${opts.name}: copied ${basename} to ${extractDir}`);
+//#region src/lark-cli-init.ts
+const LARK_PLUGIN_NAMES = ["openclaw-lark", "feishu-openclaw-plugin"];
+const PE_XML_TAG = "lark-cli-pe";
+const PE_PLACEHOLDER = `
+<${PE_XML_TAG}>
+**【强制要求 - 无例外】飞书所有操作必须先读 feishu-lark-cli skill。未读skill不得调用任何飞书工具，违者视为操作失误。**
+</${PE_XML_TAG}>
+`;
+function isLarkPluginInstalled(configPath) {
+	const extDir = getExtensionsDir(configPath);
+	return LARK_PLUGIN_NAMES.some((name) => {
+		try {
+			return node_fs.default.existsSync(node_path.default.join(extDir, name, "package.json"));
+		} catch {
+			return false;
+		}
+	});
+}
+function isLarkCliAvailable() {
+	try {
+		return (0, node_child_process.spawnSync)("lark-cli", ["--version"], {
+			encoding: "utf-8",
+			timeout: 5e3,
+			stdio: [
+				"ignore",
+				"pipe",
+				"ignore"
+			]
+		}).status === 0;
+	} catch {
+		return false;
+	}
+}
+function readConfig(configPath) {
+	try {
+		const raw = node_fs.default.readFileSync(configPath, "utf-8");
+		const parsed = loadJSON5().parse(raw);
+		return parsed != null && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+	} catch {
+		return null;
 	}
 }
-//#endregion
-//#region src/oss/getOpenclawTag.ts
 /**
-* Extracts the openclaw tag from the manifest key present in ossFileMap.
-* Avoids passing an extra ctx field — we already know the tag from the
-* well-known manifest key studio_server included.
+* Resolve the feishu app secret for the given appId.
 *
-* Manifest key shape: builtin/manifests/openclaw/recommended/<tag>.json
+* Lookup order:
+*   1. channels.feishu.appSecret  (single-agent: feishu.appId === appId)
+*   2. channels.feishu.accounts[key].appSecret  (multi-agent: account.appId === appId)
+*
+* Value interpretation:
+*   - string  → use directly
+*   - object  → secret is managed by a provider; use `feishuAppSecret` param instead
+*
+* Returns null when the secret cannot be determined.
 */
-function getOpenclawTagFromOssFileMap(ossFileMap) {
-	const prefix = "builtin/manifests/openclaw/recommended/";
-	const suffix = ".json";
-	for (const key of Object.keys(ossFileMap)) if (key.startsWith(prefix) && key.endsWith(suffix)) return key.slice(39, -5);
-	throw new Error("cannot resolve openclaw tag: ossFileMap missing manifest key");
-}
-//#endregion
-//#region src/reset.ts
-const STEPS = [
-	"备份当前配置",
-	"生成默认配置",
-	"杀掉 openclaw 进程",
-	"等待沙箱初始化完成",
-	"确认 openclaw 版本",
-	"合并核心备份配置",
-	"检查启动脚本",
-	"安装扩展",
-	"启动并验证"
-];
-const TOTAL_STEPS = STEPS.length;
-function writeResultFile(resultFile, result) {
-	const dir = node_path.default.dirname(resultFile);
-	if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
-	const tmpPath = resultFile + ".tmp";
-	node_fs.default.writeFileSync(tmpPath, JSON.stringify(result), "utf-8");
-	moveSafe(tmpPath, resultFile);
-}
-function updateProgress(resultFile, step, startedAt) {
-	writeResultFile(resultFile, {
-		status: "running",
-		step,
-		totalSteps: TOTAL_STEPS,
-		progress: STEPS[step - 1],
-		startedAt
-	});
-}
-function markDone(resultFile, startedAt) {
-	writeResultFile(resultFile, {
-		status: "done",
-		step: TOTAL_STEPS,
-		totalSteps: TOTAL_STEPS,
-		progress: "重置完成",
-		startedAt,
-		completedAt: (/* @__PURE__ */ new Date()).toISOString()
-	});
-}
-function markFailed(resultFile, step, error, startedAt) {
-	writeResultFile(resultFile, {
-		status: "failed",
-		step,
-		totalSteps: TOTAL_STEPS,
-		progress: step > 0 ? STEPS[step - 1] : "初始化",
-		error,
-		startedAt,
-		completedAt: (/* @__PURE__ */ new Date()).toISOString()
-	});
+function resolveAppSecret(appId, config, feishuAppSecret) {
+	const feishu = getNestedMap(config, "channels", "feishu");
+	if (!feishu) return null;
+	let rawSecret;
+	if (typeof feishu.appId === "string" && feishu.appId === appId) rawSecret = feishu.appSecret;
+	else {
+		const accounts = asRecord(feishu.accounts);
+		if (accounts) for (const [, val] of Object.entries(accounts)) {
+			const account = asRecord(val);
+			if (account?.appId === appId) {
+				rawSecret = account.appSecret ?? feishu.appSecret;
+				break;
+			}
+		}
+	}
+	if (typeof rawSecret === "string" && rawSecret) return rawSecret;
+	if (rawSecret != null && typeof rawSecret === "object") return feishuAppSecret ?? null;
+	return null;
 }
 /**
-* Download the template assets (config/openclaw.json + template/scripts) from
-* OSS into a scratch directory so the existing step 2 (generateDefaultConfig)
-* and step 7 (copyStartupScripts) can consume them as local files — the rest
-* of the orchestrator code stays untouched.
+* Resolve the agents.md path for the given appId from the openclaw config.
 *
-* Called once before step 1. The caller is responsible for rm -rf'ing
-* stagedDir in a finally{} block after the reset completes (or fails).
+* Case 1: appId matches channels.feishu.appId (single-agent path)
+*   → WORKSPACE_DIR/AGENTS.md
+*
+* Case 2: appId found in channels.feishu.accounts (multi-agent path)
+*   → find account key where account.appId === appId
+*   → find binding where match.channel=feishu && match.accountId=that key
+*   → if agentId === 'main'  → WORKSPACE_DIR/agents.md
+*   → else find agent in agents.list by id → agent.workspace/agents.md
+*
+* Returns null when the path cannot be determined.
 */
-async function stageTemplate(openclawTag, ossFileMap, stagedDir, configDir, log) {
-	if (node_fs.default.existsSync(stagedDir)) node_fs.default.rmSync(stagedDir, {
-		recursive: true,
-		force: true
-	});
-	node_fs.default.mkdirSync(stagedDir, { recursive: true });
-	await downloadResource(openclawTag, ossFileMap, {
-		role: "config",
-		name: "openclaw.json",
-		dir: stagedDir
-	});
-	await downloadResource(openclawTag, ossFileMap, {
-		role: "template",
-		name: "scripts",
-		dir: configDir
-	});
-	log(`staged openclaw.json to ${stagedDir}, scripts directly to ${configDir}/scripts`);
-}
-/** Step 1: Backup current config as openclaw.json.bak.N */
-function backupCurrentConfig(configPath, log) {
-	if (!fileExists(configPath)) {
-		log("no existing config, skip backup");
-		return;
+function resolveAgentsMdPath(appId, config) {
+	const feishu = getNestedMap(config, "channels", "feishu");
+	if (!feishu) {
+		console.error("resolveAgentsMdPath: channels.feishu not found");
+		return null;
 	}
-	const dir = node_path.default.dirname(configPath);
-	let maxN = 0;
-	try {
-		for (const f of node_fs.default.readdirSync(dir)) {
-			const match = f.match(/^openclaw\.json\.bak\.(\d+)$/);
-			if (match) {
-				const n = parseInt(match[1], 10);
-				if (n > maxN) maxN = n;
+	if (typeof feishu.appId === "string" && feishu.appId === appId) {
+		console.error(`resolveAgentsMdPath: case=single-agent feishu.appId=${feishu.appId}`);
+		return node_path.default.join(WORKSPACE_DIR, "workspace", "AGENTS.md");
+	}
+	const accounts = asRecord(feishu.accounts);
+	if (!accounts) {
+		console.error("resolveAgentsMdPath: feishu.accounts not found");
+		return null;
+	}
+	let accountId;
+	for (const [key, val] of Object.entries(accounts)) if (asRecord(val)?.appId === appId) {
+		accountId = key;
+		break;
+	}
+	if (!accountId) {
+		console.error(`resolveAgentsMdPath: no account found with appId=${appId} in feishu.accounts keys=[${Object.keys(accounts).join(",")}]`);
+		return null;
+	}
+	console.error(`resolveAgentsMdPath: found accountId=${accountId}`);
+	const bindings = Array.isArray(config.bindings) ? config.bindings : [];
+	let agentId;
+	for (const b of bindings) {
+		const binding = asRecord(b);
+		if (!binding) continue;
+		const match = asRecord(binding.match);
+		if (match?.channel === "feishu" && match?.accountId === accountId) {
+			if (typeof binding.agentId === "string") {
+				agentId = binding.agentId;
+				break;
 			}
 		}
-	} catch {}
-	const bakPath = configPath + ".bak." + (maxN + 1);
-	node_fs.default.copyFileSync(configPath, bakPath);
-	log(`backed up to ${bakPath}`);
-}
-/** Step 2: Replace $$__XXX__ placeholders and write default config. */
-function generateDefaultConfig(srcDir, configPath, templateVars, log) {
-	const srcConfigPath = node_path.default.join(srcDir, "openclaw.json");
-	if (!fileExists(srcConfigPath)) throw new Error("staged openclaw.json not found at " + srcConfigPath);
-	let content = node_fs.default.readFileSync(srcConfigPath, "utf-8");
-	let replaced = 0;
-	for (const [placeholder, value] of Object.entries(templateVars)) {
-		const parts = content.split(placeholder);
-		if (parts.length > 1) replaced += parts.length - 1;
-		content = parts.join(value);
 	}
-	node_fs.default.writeFileSync(configPath, content, "utf-8");
-	log(`wrote ${configPath} (${replaced} placeholder(s) replaced, ${Object.keys(templateVars).length} provided)`);
+	if (!agentId) {
+		console.error(`resolveAgentsMdPath: no binding found for accountId=${accountId} in bindings(count=${bindings.length})`);
+		return null;
+	}
+	console.error(`resolveAgentsMdPath: found agentId=${agentId}`);
+	if (agentId === "main") {
+		console.error("resolveAgentsMdPath: case=multi-agent-main");
+		return node_path.default.join(WORKSPACE_DIR, "workspace", "AGENTS.md");
+	}
+	const agentsObj = asRecord(config.agents);
+	const list = Array.isArray(agentsObj?.list) ? agentsObj.list : [];
+	for (const a of list) {
+		const agent = asRecord(a);
+		if (agent?.id === agentId) {
+			const ws = typeof agent.workspace === "string" ? agent.workspace : node_path.default.join(WORKSPACE_DIR, "workspace");
+			console.error(`resolveAgentsMdPath: case=multi-agent-custom agentId=${agentId} workspace=${ws}`);
+			return node_path.default.join(ws, "AGENTS.md");
+		}
+	}
+	console.error(`resolveAgentsMdPath: agentId=${agentId} not found in agents.list(count=${list.length})`);
+	return null;
 }
-/** Step 3: Kill all openclaw processes. */
-function killOpenclawProcesses(log) {
-	try {
-		shell("pkill -f openclaw-gateway || true", 5e3);
-	} catch {}
-	shell("sleep 2", 5e3);
-	log("killed openclaw-gateway processes");
+function appendPeToAgentsMd(agentsMdPath) {
+	const dir = node_path.default.dirname(agentsMdPath);
+	if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
+	const existing = node_fs.default.existsSync(agentsMdPath) ? node_fs.default.readFileSync(agentsMdPath, "utf-8") : "";
+	if (existing.includes(`<${PE_XML_TAG}>`)) {
+		console.error(`lark-cli-init: <${PE_XML_TAG}> already present in ${agentsMdPath}, skipping`);
+		return;
+	}
+	const sep = existing.length > 0 && !existing.endsWith("\n") ? "\n" : "";
+	node_fs.default.appendFileSync(agentsMdPath, `${sep}${PE_PLACEHOLDER}`, "utf-8");
+	console.error(`lark-cli-init: appended PE placeholder to ${agentsMdPath}`);
 }
 /**
-* Step 4: Wait for the sandbox's own init (init_sandbox.sh / concurrent npm
-* install) to finish before we start our own work. Two processes sharing
-* ~/.npm cache + competing for disk/network just makes everything crawl;
-* letting init finish first is the cleanest way to get exclusive access.
-* Polls every 10s up to `maxWaitMs`. If the deadline is hit we fall through
-* anyway — better to try than to fail the reset outright.
-*
-* Kept even after we switched off `npm install` because the sandbox init
-* script still runs `npm install` for other packages and holds cache locks.
+* Collect every Feishu bot appId declared in the openclaw config.
+* Covers both single-agent (channels.feishu.appId) and multi-agent
+* (channels.feishu.accounts[*].appId) layouts. Returns a deduplicated list.
 */
-function waitForInitNpm(maxWaitMs, log) {
-	const deadline = Date.now() + maxWaitMs;
-	const ownPid = String(process.pid);
-	let polls = 0;
-	while (Date.now() < deadline) {
-		polls++;
-		let running = 0;
-		try {
-			const out = shell(`pgrep -af "init_sandbox.sh|npm install|npm i " | grep -v -- "${ownPid}" | wc -l`, 1e4);
-			running = parseInt(out.trim(), 10) || 0;
-		} catch {
-			log(`poll ${polls}: no concurrent npm, proceeding`);
-			return;
-		}
-		if (running === 0) {
-			log(`poll ${polls}: no concurrent npm, proceeding`);
-			return;
-		}
-		log(`poll ${polls}: ${running} concurrent npm/init process(es) still running, waiting 10s`);
-		try {
-			shell("sleep 10", 12e3);
-		} catch {}
+function collectFeishuAppIds(configPath) {
+	const config = readConfig(configPath ?? CONFIG_PATH);
+	if (!config) return [];
+	const feishu = getNestedMap(config, "channels", "feishu");
+	if (!feishu) return [];
+	const appIds = /* @__PURE__ */ new Set();
+	const topAppId = feishu.appId;
+	if (typeof topAppId === "string" && topAppId.trim()) appIds.add(topAppId.trim());
+	const accounts = asRecord(feishu.accounts);
+	if (accounts) for (const val of Object.values(accounts)) {
+		const appId = asRecord(val)?.appId;
+		if (typeof appId === "string" && appId.trim()) appIds.add(appId.trim());
 	}
-	log(`deadline (${maxWaitMs}ms) hit after ${polls} poll(s), proceeding anyway`);
+	return [...appIds];
 }
-/**
-* Step 5: Install openclaw from the OSS-provided tarball at the target tag,
-* then verify `openclaw --version` output contains that tag. No npm involved.
-*/
-async function step5InstallOpenclaw(openclawTag, ossFileMap, log) {
-	log(`install-openclaw tag=${openclawTag}`);
-	await installOpenclaw(openclawTag, ossFileMap);
-	const out = shell("openclaw --version 2>&1 || true", 1e4).trim();
-	if (!out.includes(openclawTag)) throw new Error(`openclaw version verify failed: got "${out}"`);
-	log(`openclaw version verified: ${out}`);
-}
-/** Step 6: Merge coreBackup from resetData + ensure allowedOrigins. */
-function mergeCoreBackupAndOrigins(configPath, vars, resetData, log) {
-	const JSON5 = loadJSON5();
-	const backup = resetData.coreBackup;
-	if (backup) {
-		const config = JSON5.parse(node_fs.default.readFileSync(configPath, "utf-8"));
-		const merged = [];
-		if (backup.agents && backup.agents.length > 0) {
-			if (!config.agents) config.agents = {};
-			const agents = config.agents;
-			if (!Array.isArray(agents.list)) agents.list = [];
-			const configDir = node_path.default.dirname(configPath);
-			for (const agent of backup.agents) {
-				const enriched = {
-					id: agent.id,
-					name: agent.id,
-					workspace: agent.workspace,
-					agentDir: configDir + "/agents/" + agent.id + "/agent"
-				};
-				agents.list.push(enriched);
-			}
-			merged.push(`agents(+${backup.agents.length})`);
-			const list = agents.list;
-			let mainIdx = list.findIndex((a) => a.id === "main");
-			if (mainIdx < 0) {
-				list.unshift({ id: "main" });
-				mainIdx = 0;
-			}
-			list[mainIdx].subagents = { allowAgents: ["*"] };
-			list[mainIdx].default = true;
-			merged.push("main-team-mode");
-			const feishu = config.channels?.feishu;
-			if (feishu) {
-				if (!feishu.accounts) feishu.accounts = {};
-				const accounts = feishu.accounts;
-				const defaultAccount = {};
-				for (const key of [
-					"dmPolicy",
-					"allowFrom",
-					"groupPolicy",
-					"groupAllowFrom"
-				]) if (feishu[key] !== void 0) defaultAccount[key] = feishu[key];
-				if (Object.keys(defaultAccount).length > 0) {
-					accounts.default = defaultAccount;
-					merged.push("accounts.default");
-				}
-			}
-		}
-		if (backup.bindings && backup.bindings.length > 0) {
-			config.bindings = backup.bindings;
-			merged.push("bindings");
-		}
-		const backupAccounts = backup.channels?.feishu?.accounts;
-		if (backupAccounts && Object.keys(backupAccounts).length > 0) {
-			if (!config.channels) config.channels = {};
-			const ch = config.channels;
-			if (!ch.feishu) ch.feishu = {};
-			const feishu = ch.feishu;
-			if (!feishu.accounts) feishu.accounts = {};
-			Object.assign(feishu.accounts, backupAccounts);
-			merged.push("channels.feishu.accounts");
-		}
-		node_fs.default.writeFileSync(configPath, JSON.stringify(config, null, 2), "utf-8");
-		log(`merged from coreBackup: [${merged.join(", ") || "nothing"}]`);
-	} else log("no coreBackup in resetData, skip multi-agent merge");
-	const expectedOrigins = Array.isArray(vars.expectedOrigins) ? vars.expectedOrigins : [];
-	if (expectedOrigins.length === 0) {
-		log("no expectedOrigins provided");
-		return;
-	}
-	const config = JSON5.parse(node_fs.default.readFileSync(configPath, "utf-8"));
-	if (!config.gateway) config.gateway = {};
-	const gw = config.gateway;
-	if (!gw.controlUi) gw.controlUi = {};
-	const cui = gw.controlUi;
-	const current = Array.isArray(cui.allowedOrigins) ? cui.allowedOrigins.filter((o) => typeof o === "string") : [];
-	if (current.includes("*")) {
-		log("allowedOrigins already contains \"*\", skip origin merge");
-		return;
-	}
-	const seen = new Set(current);
-	const added = [];
-	const mergedOrigins = [...current];
-	for (const o of expectedOrigins) if (!seen.has(o)) {
-		mergedOrigins.push(o);
-		seen.add(o);
-		added.push(o);
-	}
-	cui.allowedOrigins = mergedOrigins;
-	node_fs.default.writeFileSync(configPath, JSON.stringify(config, null, 2), "utf-8");
-	log(`allowedOrigins: added ${added.length} (${JSON.stringify(added)}), total now ${mergedOrigins.length}`);
-}
-/**
-* Step 7: Verify startup scripts landed in configDir/scripts/.
-*
-* Scripts are extracted directly to configDir/scripts/ during stageTemplate —
-* there's no intermediate copy any more. This step is now a verification gate
-* (rather than a copy action) so the step count stays at 9 and we fail early
-* if the template tgz didn't carry a scripts/ dir.
-*/
-function verifyStartupScripts(configDir, log) {
-	const targetScriptsDir = node_path.default.join(configDir, "scripts");
-	if (!node_fs.default.existsSync(targetScriptsDir)) throw new Error(`scripts dir missing at ${targetScriptsDir} — template download failed?`);
-	log(`scripts dir present at ${targetScriptsDir}`);
-}
-/**
-* Step 8: Install all extensions listed in the OSS manifest at `openclawTag`.
-* Replaces the old `plugins update --all` / pre-packed tar.gz flow — the
-* manifest is now the single source of truth for which extensions ship.
-*/
-async function step8InstallExtensions(openclawTag, ossFileMap, log) {
-	log(`install-extension --all tag=${openclawTag}`);
-	await installExtension(openclawTag, ossFileMap, {
-		all: true,
-		skipConfigUpdate: true
-	});
-	log("extensions installed");
-}
-/** Step 9: Write secrets/provider key files and restart openclaw. */
-function writeSecretsAndRestart(vars, resetData, configDir, log) {
-	if (resetData.secretsContent && vars.secretsFilePath) {
-		writeFile(vars.secretsFilePath, resetData.secretsContent);
-		log(`wrote secrets to ${vars.secretsFilePath}`);
-	}
-	if (resetData.providerKeyContent && vars.providerFilePath) {
-		writeFile(vars.providerFilePath, resetData.providerKeyContent);
-		log(`wrote provider key to ${vars.providerFilePath}`);
-	}
-	const restartScript = "/opt/force/bin/openclaw_scripts/restart.sh";
-	if (fileExists(restartScript)) {
-		const t = Date.now();
-		shell(`bash '${restartScript}'`, 3e4);
-		log(`restart.sh done in ${Date.now() - t}ms`);
-	} else log(`no restart.sh at ${restartScript}, skip`);
-}
-async function runReset(input, taskId, resultFile) {
-	const startedAt = (/* @__PURE__ */ new Date()).toISOString();
-	const { configPath, vars, resetData } = input;
-	const configDir = node_path.default.dirname(configPath);
-	const stagedDir = node_path.default.join(DIAGNOSE_DIR, `reset-${taskId}-template`);
-	let currentStep = 0;
-	let stepStartedAt = Date.now();
-	const stepResults = [];
-	const log = makeLogger(resetLogFile(taskId));
-	log(`=== reset started, taskId=${taskId}, pid=${process.pid} ===`);
-	log(`configPath=${configPath}, configDir=${configDir}, stagedDir=${stagedDir}`);
-	const ossFileMap = resetData.ossFileMap;
-	if (!ossFileMap || Object.keys(ossFileMap).length === 0) {
-		const err = "resetData.ossFileMap missing or empty";
-		log(`ERROR: ${err}`);
-		markFailed(resultFile, 0, err, startedAt);
+function runLarkCliInit(opts) {
+	const configPath = opts.configPath ?? CONFIG_PATH;
+	if (!isLarkPluginInstalled(configPath)) {
+		console.error("lark-cli-init: skipping — openclaw-lark plugin not installed");
 		return {
-			success: false,
-			steps: stepResults,
-			error: err,
-			failedStep: 0
+			ok: true,
+			skipped: true,
+			skipReason: "openclaw-lark plugin not installed"
 		};
 	}
-	let openclawTag;
-	if (resetData.openclawTag) openclawTag = resetData.openclawTag;
-	else try {
-		openclawTag = getOpenclawTagFromOssFileMap(ossFileMap);
-	} catch (e) {
-		const err = e.message;
-		log(`ERROR: ${err}`);
-		markFailed(resultFile, 0, err, startedAt);
+	if (!isLarkCliAvailable()) {
+		console.error("lark-cli-init: skipping — lark-cli command not found");
 		return {
-			success: false,
-			steps: stepResults,
-			error: err,
-			failedStep: 0
+			ok: true,
+			skipped: true,
+			skipReason: "lark-cli command not found"
 		};
 	}
-	log(`openclawTag=${openclawTag}`);
-	process.on("uncaughtException", (err) => {
-		log(`FATAL uncaughtException: ${err.message}\n${err.stack ?? ""}`);
-		markFailed(resultFile, currentStep, `uncaught exception: ${err.message}`, startedAt);
-		process.exit(1);
-	});
-	process.on("unhandledRejection", (reason) => {
-		log(`FATAL unhandledRejection: ${String(reason)}`);
-		markFailed(resultFile, currentStep, `unhandled rejection: ${reason}`, startedAt);
-		process.exit(1);
+	const config = readConfig(configPath);
+	if (!config) return {
+		ok: false,
+		error: `could not read config at ${configPath}`
+	};
+	const agentsMdPath = resolveAgentsMdPath(opts.appId, config);
+	console.error(`lark-cli-init: resolved agents.md path=${agentsMdPath ?? "(null)"}`);
+	if (!agentsMdPath) return {
+		ok: false,
+		error: `could not resolve agents.md path for appId=${opts.appId}`
+	};
+	const appSecret = resolveAppSecret(opts.appId, config, opts.feishuAppSecret);
+	if (!appSecret) return {
+		ok: false,
+		error: `could not resolve appSecret for appId=${opts.appId}`
+	};
+	console.error(`lark-cli-init: running lark-cli config init --name ${opts.appId} --app-id ${opts.appId} --brand feishu --app-secret-stdin --force-init`);
+	const initRes = (0, node_child_process.spawnSync)("lark-cli", [
+		"config",
+		"init",
+		"--name",
+		opts.appId,
+		"--app-id",
+		opts.appId,
+		"--brand",
+		"feishu",
+		"--app-secret-stdin",
+		"--force-init"
+	], {
+		stdio: [
+			"pipe",
+			"pipe",
+			"pipe"
+		],
+		encoding: "utf-8",
+		input: appSecret
 	});
-	/** Advance to the next step, recording the previous step's success
-	*  duration and updating the on-disk progress file. */
-	const step = (n) => {
-		if (currentStep > 0) {
-			const dur = Date.now() - stepStartedAt;
-			log(`step ${currentStep} "${STEPS[currentStep - 1]}" done in ${dur}ms`);
-			stepResults.push({
-				step: currentStep,
-				name: STEPS[currentStep - 1],
-				status: "ok",
-				durationMs: dur
-			});
-		}
-		currentStep = n;
-		stepStartedAt = Date.now();
-		log(`--- step ${n}/${TOTAL_STEPS}: ${STEPS[n - 1]} ---`);
-		updateProgress(resultFile, n, startedAt);
+	const configInitStdout = initRes.stdout?.trim() || void 0;
+	const configInitStderr = initRes.stderr?.trim() || void 0;
+	if (configInitStdout) console.error(`lark-cli config init stdout: ${configInitStdout}`);
+	if (configInitStderr) console.error(`lark-cli config init stderr: ${configInitStderr}`);
+	if (initRes.error) return {
+		ok: false,
+		configInitStdout,
+		configInitStderr,
+		error: `lark-cli config init spawn error: ${initRes.error.message}`
 	};
-	try {
-		await stageTemplate(openclawTag, ossFileMap, stagedDir, configDir, log);
-		step(1);
-		backupCurrentConfig(configPath, log);
-		step(2);
-		generateDefaultConfig(stagedDir, configPath, resetData.templateVars, log);
-		step(3);
-		killOpenclawProcesses(log);
-		step(4);
-		waitForInitNpm(10 * 6e4, log);
-		step(5);
-		await step5InstallOpenclaw(openclawTag, ossFileMap, log);
-		step(6);
-		mergeCoreBackupAndOrigins(configPath, vars, resetData, log);
-		step(7);
-		verifyStartupScripts(configDir, log);
-		step(8);
-		await step8InstallExtensions(openclawTag, ossFileMap, log);
-		step(9);
-		writeSecretsAndRestart(vars, resetData, configDir, log);
-		const lastDur = Date.now() - stepStartedAt;
-		log(`step 9 "${STEPS[8]}" done in ${lastDur}ms`);
-		stepResults.push({
-			step: 9,
-			name: STEPS[8],
-			status: "ok",
-			durationMs: lastDur
-		});
-		log("=== reset completed successfully ===");
-		markDone(resultFile, startedAt);
-		return {
-			success: true,
-			steps: stepResults
-		};
-	} catch (e) {
-		const err = e.message;
-		const dur = Date.now() - stepStartedAt;
-		log(`ERROR in step ${currentStep} "${STEPS[currentStep - 1] ?? "init"}" after ${dur}ms: ${err}\n${e.stack ?? ""}`);
-		stepResults.push({
-			step: currentStep,
-			name: STEPS[currentStep - 1] ?? "init",
-			status: "fail",
-			durationMs: dur,
-			error: err
+	if (initRes.status !== 0) return {
+		ok: false,
+		configInitExitCode: initRes.status ?? void 0,
+		configInitStdout,
+		configInitStderr,
+		error: `lark-cli config init exited with code ${initRes.status}`
+	};
+	appendPeToAgentsMd(agentsMdPath);
+	return {
+		ok: true,
+		configInitExitCode: 0,
+		agentsMdPath
+	};
+}
+//#endregion
+//#region ../../openclaw-slardar/lib/client.js
+var import_index_cjs = /* @__PURE__ */ __toESM((/* @__PURE__ */ __commonJSMin(((exports) => {
+	Object.defineProperty(exports, "__esModule", { value: true });
+	var DEFAULT_SIZE = 10;
+	var DEFAULT_WAIT = 1e3;
+	var stringifyBatch = function(list) {
+		return JSON.stringify({
+			ev_type: "batch",
+			list
 		});
-		markFailed(resultFile, currentStep, err, startedAt);
-		return {
-			success: false,
-			steps: stepResults,
-			error: err,
-			failedStep: currentStep
+	};
+	function createBatchSender(config) {
+		var transport = config.transport;
+		var endpoint = config.endpoint, _a = config.size, size = _a === void 0 ? DEFAULT_SIZE : _a, _b = config.wait, wait = _b === void 0 ? DEFAULT_WAIT : _b;
+		var batch = [];
+		var tid = 0;
+		var fail;
+		var success;
+		var sender = {
+			getSize: function() {
+				return size;
+			},
+			getWait: function() {
+				return wait;
+			},
+			setSize: function(v) {
+				size = v;
+			},
+			setWait: function(v) {
+				wait = v;
+			},
+			getEndpoint: function() {
+				return endpoint;
+			},
+			setEndpoint: function(v) {
+				endpoint = v;
+			},
+			send: function(e) {
+				batch.push(e);
+				if (batch.length >= size) sendBatch.call(this);
+				clearTimeout(tid);
+				tid = setTimeout(sendBatch.bind(this), wait);
+			},
+			flush: function() {
+				clearTimeout(tid);
+				sendBatch.call(this);
+			},
+			getBatchData: function() {
+				return batch.length ? stringifyBatch(batch) : "";
+			},
+			clear: function() {
+				clearTimeout(tid);
+				batch = [];
+			},
+			fail: function(cb) {
+				fail = cb;
+			},
+			success: function(cb) {
+				success = cb;
+			}
 		};
-	} finally {
-		try {
-			node_fs.default.rmSync(stagedDir, {
-				recursive: true,
-				force: true
+		function sendBatch() {
+			if (!batch.length) return;
+			var data = this.getBatchData();
+			transport.post({
+				url: endpoint,
+				data,
+				fail: function(err) {
+					fail && fail(err, data);
+				},
+				success: function() {
+					success && success(data);
+				}
 			});
-		} catch {}
-	}
-}
-//#endregion
-//#region src/get-reset-task.ts
-/**
-* Long-poll for a reset task result.
-* Reads the result file every 1s for up to 30s.
-* Returns immediately on terminal states (done/failed).
-*/
-function getResetTask(taskId) {
-	const resultFile = resetResultFile(taskId);
-	const deadline = Date.now() + 3e4;
-	while (Date.now() < deadline) {
-		if (!node_fs.default.existsSync(resultFile)) {
-			sleepSync(1e3);
-			continue;
+			batch = [];
 		}
-		try {
-			const content = node_fs.default.readFileSync(resultFile, "utf-8");
-			const result = JSON.parse(content);
-			if (result.status === "done" || result.status === "failed") return result;
-		} catch {}
-		sleepSync(1e3);
+		return sender;
 	}
-	if (node_fs.default.existsSync(resultFile)) try {
-		return JSON.parse(node_fs.default.readFileSync(resultFile, "utf-8"));
-	} catch {}
-	return {
-		status: "running",
-		progress: "等待中..."
+	/*! *****************************************************************************
+	Copyright (c) Microsoft Corporation.
+	
+	Permission to use, copy, modify, and/or distribute this software for any
+	purpose with or without fee is hereby granted.
+	
+	THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+	REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+	AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+	INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+	LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+	OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+	PERFORMANCE OF THIS SOFTWARE.
+	***************************************************************************** */
+	var __assign = function() {
+		__assign = Object.assign || function __assign(t) {
+			for (var s, i = 1, n = arguments.length; i < n; i++) {
+				s = arguments[i];
+				for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p)) t[p] = s[p];
+			}
+			return t;
+		};
+		return __assign.apply(this, arguments);
 	};
-}
-/**
-* Synchronous sleep using Atomics.wait on a shared buffer.
-*/
-function sleepSync(ms) {
-	const buf = new SharedArrayBuffer(4);
-	const arr = new Int32Array(buf);
-	Atomics.wait(arr, 0, 0, ms);
-}
-//#endregion
-//#region src/lark-cli-init.ts
-const LARK_PLUGIN_NAMES = ["openclaw-lark", "feishu-openclaw-plugin"];
-const PE_XML_TAG = "lark-cli-pe";
-const PE_PLACEHOLDER = `
-<${PE_XML_TAG}>
-**【强制要求 - 无例外】飞书所有操作必须先读 feishu-lark-cli skill。未读skill不得调用任何飞书工具，违者视为操作失误。**
-</${PE_XML_TAG}>
-`;
-function isLarkPluginInstalled(configPath) {
-	const extDir = getExtensionsDir(configPath);
-	return LARK_PLUGIN_NAMES.some((name) => {
+	function __values(o) {
+		var s = typeof Symbol === "function" && Symbol.iterator, m = s && o[s], i = 0;
+		if (m) return m.call(o);
+		if (o && typeof o.length === "number") return { next: function() {
+			if (o && i >= o.length) o = void 0;
+			return {
+				value: o && o[i++],
+				done: !o
+			};
+		} };
+		throw new TypeError(s ? "Object is not iterable." : "Symbol.iterator is not defined.");
+	}
+	function __read(o, n) {
+		var m = typeof Symbol === "function" && o[Symbol.iterator];
+		if (!m) return o;
+		var i = m.call(o), r, ar = [], e;
 		try {
-			return node_fs.default.existsSync(node_path.default.join(extDir, name, "package.json"));
-		} catch {
-			return false;
+			while ((n === void 0 || n-- > 0) && !(r = i.next()).done) ar.push(r.value);
+		} catch (error) {
+			e = { error };
+		} finally {
+			try {
+				if (r && !r.done && (m = i["return"])) m.call(i);
+			} finally {
+				if (e) throw e.error;
+			}
 		}
-	});
-}
-function isLarkCliAvailable() {
-	try {
-		return (0, node_child_process.spawnSync)("lark-cli", ["--version"], {
-			encoding: "utf-8",
-			timeout: 5e3,
-			stdio: [
-				"ignore",
-				"pipe",
-				"ignore"
-			]
-		}).status === 0;
-	} catch {
-		return false;
+		return ar;
 	}
-}
-function readConfig(configPath) {
-	try {
-		const raw = node_fs.default.readFileSync(configPath, "utf-8");
-		const parsed = loadJSON5().parse(raw);
-		return parsed != null && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
-	} catch {
-		return null;
+	function __spreadArray(to, from, pack) {
+		if (pack || arguments.length === 2) {
+			for (var i = 0, l = from.length, ar; i < l; i++) if (ar || !(i in from)) {
+				if (!ar) ar = Array.prototype.slice.call(from, 0, i);
+				ar[i] = from[i];
+			}
+		}
+		return to.concat(ar || Array.prototype.slice.call(from));
 	}
-}
-/**
-* Resolve the feishu app secret for the given appId.
-*
-* Lookup order:
-*   1. channels.feishu.appSecret  (single-agent: feishu.appId === appId)
-*   2. channels.feishu.accounts[key].appSecret  (multi-agent: account.appId === appId)
-*
-* Value interpretation:
-*   - string  → use directly
-*   - object  → secret is managed by a provider; use `feishuAppSecret` param instead
-*
-* Returns null when the secret cannot be determined.
-*/
-function resolveAppSecret(appId, config, feishuAppSecret) {
-	const feishu = getNestedMap(config, "channels", "feishu");
-	if (!feishu) return null;
-	let rawSecret;
-	if (typeof feishu.appId === "string" && feishu.appId === appId) rawSecret = feishu.appSecret;
-	else {
-		const accounts = asRecord(feishu.accounts);
-		if (accounts) for (const [, val] of Object.entries(accounts)) {
-			const account = asRecord(val);
-			if (account?.appId === appId) {
-				rawSecret = account.appSecret ?? feishu.appSecret;
-				break;
-			}
-		}
+	var noop = function() {
+		return {};
+	};
+	function id(v) {
+		return v;
 	}
-	if (typeof rawSecret === "string" && rawSecret) return rawSecret;
-	if (rawSecret != null && typeof rawSecret === "object") return feishuAppSecret ?? null;
-	return null;
-}
-/**
-* Resolve the agents.md path for the given appId from the openclaw config.
-*
-* Case 1: appId matches channels.feishu.appId (single-agent path)
-*   → WORKSPACE_DIR/AGENTS.md
-*
-* Case 2: appId found in channels.feishu.accounts (multi-agent path)
-*   → find account key where account.appId === appId
-*   → find binding where match.channel=feishu && match.accountId=that key
-*   → if agentId === 'main'  → WORKSPACE_DIR/agents.md
-*   → else find agent in agents.list by id → agent.workspace/agents.md
-*
-* Returns null when the path cannot be determined.
-*/
-function resolveAgentsMdPath(appId, config) {
-	const feishu = getNestedMap(config, "channels", "feishu");
-	if (!feishu) {
-		console.error("resolveAgentsMdPath: channels.feishu not found");
-		return null;
+	function isObject(o) {
+		return typeof o === "object" && o !== null;
 	}
-	if (typeof feishu.appId === "string" && feishu.appId === appId) {
-		console.error(`resolveAgentsMdPath: case=single-agent feishu.appId=${feishu.appId}`);
-		return node_path.default.join(WORKSPACE_DIR, "workspace", "AGENTS.md");
+	var objProto = Object.prototype;
+	function isArray(o) {
+		return objProto.toString.call(o) === "[object Array]";
 	}
-	const accounts = asRecord(feishu.accounts);
-	if (!accounts) {
-		console.error("resolveAgentsMdPath: feishu.accounts not found");
-		return null;
+	function isBoolean(o) {
+		return typeof o === "boolean";
 	}
-	let accountId;
-	for (const [key, val] of Object.entries(accounts)) if (asRecord(val)?.appId === appId) {
-		accountId = key;
-		break;
+	function isNumber(o) {
+		return typeof o === "number";
 	}
-	if (!accountId) {
-		console.error(`resolveAgentsMdPath: no account found with appId=${appId} in feishu.accounts keys=[${Object.keys(accounts).join(",")}]`);
-		return null;
+	function isString(o) {
+		return typeof o === "string";
 	}
-	console.error(`resolveAgentsMdPath: found accountId=${accountId}`);
-	const bindings = Array.isArray(config.bindings) ? config.bindings : [];
-	let agentId;
-	for (const b of bindings) {
-		const binding = asRecord(b);
-		if (!binding) continue;
-		const match = asRecord(binding.match);
-		if (match?.channel === "feishu" && match?.accountId === accountId) {
-			if (typeof binding.agentId === "string") {
-				agentId = binding.agentId;
-				break;
-			}
+	function arrayIncludes(array, value) {
+		if (!isArray(array)) return false;
+		if (array.length === 0) return false;
+		var k = 0;
+		while (k < array.length) {
+			if (array[k] === value) return true;
+			k++;
 		}
+		return false;
 	}
-	if (!agentId) {
-		console.error(`resolveAgentsMdPath: no binding found for accountId=${accountId} in bindings(count=${bindings.length})`);
-		return null;
-	}
-	console.error(`resolveAgentsMdPath: found agentId=${agentId}`);
-	if (agentId === "main") {
-		console.error("resolveAgentsMdPath: case=multi-agent-main");
-		return node_path.default.join(WORKSPACE_DIR, "workspace", "AGENTS.md");
-	}
-	const agentsObj = asRecord(config.agents);
-	const list = Array.isArray(agentsObj?.list) ? agentsObj.list : [];
-	for (const a of list) {
-		const agent = asRecord(a);
-		if (agent?.id === agentId) {
-			const ws = typeof agent.workspace === "string" ? agent.workspace : node_path.default.join(WORKSPACE_DIR, "workspace");
-			console.error(`resolveAgentsMdPath: case=multi-agent-custom agentId=${agentId} workspace=${ws}`);
-			return node_path.default.join(ws, "AGENTS.md");
+	var arrayRemove = function(arr, e) {
+		if (!isArray(arr)) return arr;
+		var i = arr.indexOf(e);
+		if (i >= 0) {
+			var arr_ = arr.slice();
+			arr_.splice(i, 1);
+			return arr_;
+		}
+		return arr;
+	};
+	/**
+	* 按路径访问对象属性
+	* @param target 待访问对象
+	* @param property 访问属性路径
+	* @param { (target: any, property: string): any } visitor 访问器
+	*/
+	var safeVisit = function(target, path, visitor) {
+		var _a, _b;
+		var _c = __read(path.split(".")), method = _c[0], rest = _c.slice(1);
+		while (target && rest.length > 0) {
+			target = target[method];
+			_a = rest, _b = __read(_a), method = _b[0], rest = _b.slice(1);
+		}
+		if (!target) return;
+		return visitor(target, method);
+	};
+	function safeStringify(a) {
+		try {
+			return isString(a) ? a : JSON.stringify(a);
+		} catch (err) {
+			return "[FAILED_TO_STRINGIFY]:" + String(err);
 		}
 	}
-	console.error(`resolveAgentsMdPath: agentId=${agentId} not found in agents.list(count=${list.length})`);
-	return null;
-}
-function appendPeToAgentsMd(agentsMdPath) {
-	const dir = node_path.default.dirname(agentsMdPath);
-	if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
-	const existing = node_fs.default.existsSync(agentsMdPath) ? node_fs.default.readFileSync(agentsMdPath, "utf-8") : "";
-	if (existing.includes(`<${PE_XML_TAG}>`)) {
-		console.error(`lark-cli-init: <${PE_XML_TAG}> already present in ${agentsMdPath}, skipping`);
-		return;
-	}
-	const sep = existing.length > 0 && !existing.endsWith("\n") ? "\n" : "";
-	node_fs.default.appendFileSync(agentsMdPath, `${sep}${PE_PLACEHOLDER}`, "utf-8");
-	console.error(`lark-cli-init: appended PE placeholder to ${agentsMdPath}`);
-}
-/**
-* Collect every Feishu bot appId declared in the openclaw config.
-* Covers both single-agent (channels.feishu.appId) and multi-agent
-* (channels.feishu.accounts[*].appId) layouts. Returns a deduplicated list.
-*/
-function collectFeishuAppIds(configPath) {
-	const config = readConfig(configPath ?? CONFIG_PATH);
-	if (!config) return [];
-	const feishu = getNestedMap(config, "channels", "feishu");
-	if (!feishu) return [];
-	const appIds = /* @__PURE__ */ new Set();
-	const topAppId = feishu.appId;
-	if (typeof topAppId === "string" && topAppId.trim()) appIds.add(topAppId.trim());
-	const accounts = asRecord(feishu.accounts);
-	if (accounts) for (const val of Object.values(accounts)) {
-		const appId = asRecord(val)?.appId;
-		if (typeof appId === "string" && appId.trim()) appIds.add(appId.trim());
-	}
-	return [...appIds];
-}
-function runLarkCliInit(opts) {
-	const configPath = opts.configPath ?? CONFIG_PATH;
-	if (!isLarkPluginInstalled(configPath)) {
-		console.error("lark-cli-init: skipping — openclaw-lark plugin not installed");
-		return {
-			ok: true,
-			skipped: true,
-			skipReason: "openclaw-lark plugin not installed"
+	function createContextAgent() {
+		var context = {};
+		var stringified = {};
+		var contextAgent = {
+			set: function(k, v) {
+				context[k] = v;
+				stringified[k] = safeStringify(v);
+				return contextAgent;
+			},
+			merge: function(ctx) {
+				context = __assign(__assign({}, context), ctx);
+				Object.keys(ctx).forEach(function(key) {
+					stringified[key] = safeStringify(ctx[key]);
+				});
+				return contextAgent;
+			},
+			delete: function(k) {
+				delete context[k];
+				delete stringified[k];
+				return contextAgent;
+			},
+			clear: function() {
+				context = {};
+				stringified = {};
+				return contextAgent;
+			},
+			get: function(k) {
+				return stringified[k];
+			},
+			toString: function() {
+				return __assign({}, stringified);
+			}
 		};
+		return contextAgent;
 	}
-	if (!isLarkCliAvailable()) {
-		console.error("lark-cli-init: skipping — lark-cli command not found");
-		return {
-			ok: true,
-			skipped: true,
-			skipReason: "lark-cli command not found"
+	var getPrintString = function() {
+		if ("".padStart) return function(str, prefixLength) {
+			if (prefixLength === void 0) prefixLength = 8;
+			return str.padStart(prefixLength, " ");
+		};
+		return function(str) {
+			return str;
 		};
-	}
-	const config = readConfig(configPath);
-	if (!config) return {
-		ok: false,
-		error: `could not read config at ${configPath}`
 	};
-	const agentsMdPath = resolveAgentsMdPath(opts.appId, config);
-	console.error(`lark-cli-init: resolved agents.md path=${agentsMdPath ?? "(null)"}`);
-	if (!agentsMdPath) return {
-		ok: false,
-		error: `could not resolve agents.md path for appId=${opts.appId}`
+	var printString = getPrintString();
+	var errCount = 0;
+	var error = function() {
+		var args = [];
+		for (var _i = 0; _i < arguments.length; _i++) args[_i] = arguments[_i];
+		console.error.apply(console, __spreadArray([
+			"[SDK]",
+			Date.now(),
+			printString("" + errCount++)
+		], __read(args), false));
 	};
-	const appSecret = resolveAppSecret(opts.appId, config, opts.feishuAppSecret);
-	if (!appSecret) return {
-		ok: false,
-		error: `could not resolve appSecret for appId=${opts.appId}`
+	var warnCount = 0;
+	var warn = function() {
+		var args = [];
+		for (var _i = 0; _i < arguments.length; _i++) args[_i] = arguments[_i];
+		console.warn.apply(console, __spreadArray([
+			"[SDK]",
+			Date.now(),
+			printString("" + warnCount++)
+		], __read(args), false));
 	};
-	console.error(`lark-cli-init: running lark-cli config init --name ${opts.appId} --app-id ${opts.appId} --brand feishu --app-secret-stdin --force-init`);
-	const initRes = (0, node_child_process.spawnSync)("lark-cli", [
-		"config",
-		"init",
-		"--name",
-		opts.appId,
-		"--app-id",
-		opts.appId,
-		"--brand",
-		"feishu",
-		"--app-secret-stdin",
-		"--force-init"
-	], {
-		stdio: [
-			"pipe",
-			"pipe",
-			"pipe"
-		],
-		encoding: "utf-8",
-		input: appSecret
-	});
-	const configInitStdout = initRes.stdout?.trim() || void 0;
-	const configInitStderr = initRes.stderr?.trim() || void 0;
-	if (configInitStdout) console.error(`lark-cli config init stdout: ${configInitStdout}`);
-	if (configInitStderr) console.error(`lark-cli config init stderr: ${configInitStderr}`);
-	if (initRes.error) return {
-		ok: false,
-		configInitStdout,
-		configInitStderr,
-		error: `lark-cli config init spawn error: ${initRes.error.message}`
-	};
-	if (initRes.status !== 0) return {
-		ok: false,
-		configInitExitCode: initRes.status ?? void 0,
-		configInitStdout,
-		configInitStderr,
-		error: `lark-cli config init exited with code ${initRes.status}`
-	};
-	appendPeToAgentsMd(agentsMdPath);
-	return {
-		ok: true,
-		configInitExitCode: 0,
-		agentsMdPath
+	var isHitBySampleRate = function(sampleRate) {
+		if (Math.random() < Number(sampleRate)) return true;
+		return false;
 	};
-}
-//#endregion
-//#region ../../openclaw-slardar/lib/client.js
-var import_index_cjs = /* @__PURE__ */ __toESM((/* @__PURE__ */ __commonJSMin(((exports) => {
-	Object.defineProperty(exports, "__esModule", { value: true });
-	var DEFAULT_SIZE = 10;
-	var DEFAULT_WAIT = 1e3;
-	var stringifyBatch = function(list) {
-		return JSON.stringify({
-			ev_type: "batch",
-			list
-		});
+	var isHitByRandom = function(random, sampleRate) {
+		if (random < Number(sampleRate)) return true;
+		return false;
 	};
-	function createBatchSender(config) {
-		var transport = config.transport;
-		var endpoint = config.endpoint, _a = config.size, size = _a === void 0 ? DEFAULT_SIZE : _a, _b = config.wait, wait = _b === void 0 ? DEFAULT_WAIT : _b;
-		var batch = [];
-		var tid = 0;
-		var fail;
-		var success;
-		var sender = {
-			getSize: function() {
-				return size;
-			},
-			getWait: function() {
-				return wait;
-			},
-			setSize: function(v) {
-				size = v;
-			},
-			setWait: function(v) {
-				wait = v;
-			},
-			getEndpoint: function() {
-				return endpoint;
-			},
-			setEndpoint: function(v) {
-				endpoint = v;
-			},
-			send: function(e) {
-				batch.push(e);
-				if (batch.length >= size) sendBatch.call(this);
-				clearTimeout(tid);
-				tid = setTimeout(sendBatch.bind(this), wait);
-			},
-			flush: function() {
-				clearTimeout(tid);
-				sendBatch.call(this);
-			},
-			getBatchData: function() {
-				return batch.length ? stringifyBatch(batch) : "";
-			},
-			clear: function() {
-				clearTimeout(tid);
-				batch = [];
-			},
-			fail: function(cb) {
-				fail = cb;
-			},
-			success: function(cb) {
-				success = cb;
-			}
-		};
-		function sendBatch() {
-			if (!batch.length) return;
-			var data = this.getBatchData();
-			transport.post({
-				url: endpoint,
-				data,
-				fail: function(err) {
-					fail && fail(err, data);
-				},
-				success: function() {
-					success && success(data);
-				}
-			});
-			batch = [];
-		}
-		return sender;
-	}
-	/*! *****************************************************************************
-	Copyright (c) Microsoft Corporation.
-	
-	Permission to use, copy, modify, and/or distribute this software for any
-	purpose with or without fee is hereby granted.
-	
-	THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
-	REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-	AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
-	INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-	LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
-	OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-	PERFORMANCE OF THIS SOFTWARE.
-	***************************************************************************** */
-	var __assign = function() {
-		__assign = Object.assign || function __assign(t) {
-			for (var s, i = 1, n = arguments.length; i < n; i++) {
-				s = arguments[i];
-				for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p)) t[p] = s[p];
+	var runProcessors = function(fns) {
+		return function(e) {
+			var r = e;
+			for (var i = 0; i < fns.length; i++) if (r) try {
+				r = fns[i](r);
+			} catch (err) {
+				error(err);
 			}
-			return t;
+			else break;
+			return r;
 		};
-		return __assign.apply(this, arguments);
 	};
-	function __values(o) {
-		var s = typeof Symbol === "function" && Symbol.iterator, m = s && o[s], i = 0;
-		if (m) return m.call(o);
-		if (o && typeof o.length === "number") return { next: function() {
-			if (o && i >= o.length) o = void 0;
-			return {
-				value: o && o[i++],
-				done: !o
-			};
-		} };
-		throw new TypeError(s ? "Object is not iterable." : "Symbol.iterator is not defined.");
-	}
-	function __read(o, n) {
-		var m = typeof Symbol === "function" && o[Symbol.iterator];
-		if (!m) return o;
-		var i = m.call(o), r, ar = [], e;
-		try {
-			while ((n === void 0 || n-- > 0) && !(r = i.next()).done) ar.push(r.value);
-		} catch (error) {
-			e = { error };
-		} finally {
-			try {
-				if (r && !r.done && (m = i["return"])) m.call(i);
-			} finally {
-				if (e) throw e.error;
-			}
-		}
-		return ar;
-	}
-	function __spreadArray(to, from, pack) {
-		if (pack || arguments.length === 2) {
-			for (var i = 0, l = from.length, ar; i < l; i++) if (ar || !(i in from)) {
-				if (!ar) ar = Array.prototype.slice.call(from, 0, i);
-				ar[i] = from[i];
-			}
+	/**
+	* 生成uuid
+	* stolen from https://github.com/kelektiv/node-uuid#readme uuid/v4
+	*
+	* @returns
+	*/
+	function mathRNG() {
+		var rnds = new Array(16);
+		var r = 0;
+		for (var i = 0; i < 16; i++) {
+			if ((i & 3) === 0) r = Math.random() * 4294967296;
+			rnds[i] = r >>> ((i & 3) << 3) & 255;
 		}
-		return to.concat(ar || Array.prototype.slice.call(from));
-	}
-	var noop = function() {
-		return {};
-	};
-	function id(v) {
-		return v;
-	}
-	function isObject(o) {
-		return typeof o === "object" && o !== null;
-	}
-	var objProto = Object.prototype;
-	function isArray(o) {
-		return objProto.toString.call(o) === "[object Array]";
-	}
-	function isBoolean(o) {
-		return typeof o === "boolean";
+		return rnds;
 	}
-	function isNumber(o) {
-		return typeof o === "number";
+	function bytesToUuid(buf) {
+		var byteToHex = [];
+		for (var index = 0; index < 256; ++index) byteToHex[index] = (index + 256).toString(16).substr(1);
+		var i = 0;
+		var bth = byteToHex;
+		return [
+			bth[buf[i++]],
+			bth[buf[i++]],
+			bth[buf[i++]],
+			bth[buf[i++]],
+			"-",
+			bth[buf[i++]],
+			bth[buf[i++]],
+			"-",
+			bth[buf[i++]],
+			bth[buf[i++]],
+			"-",
+			bth[buf[i++]],
+			bth[buf[i++]],
+			"-",
+			bth[buf[i++]],
+			bth[buf[i++]],
+			bth[buf[i++]],
+			bth[buf[i++]],
+			bth[buf[i++]],
+			bth[buf[i++]]
+		].join("");
 	}
-	function isString(o) {
-		return typeof o === "string";
-	}
-	function arrayIncludes(array, value) {
-		if (!isArray(array)) return false;
-		if (array.length === 0) return false;
-		var k = 0;
-		while (k < array.length) {
-			if (array[k] === value) return true;
-			k++;
-		}
-		return false;
-	}
-	var arrayRemove = function(arr, e) {
-		if (!isArray(arr)) return arr;
-		var i = arr.indexOf(e);
-		if (i >= 0) {
-			var arr_ = arr.slice();
-			arr_.splice(i, 1);
-			return arr_;
-		}
-		return arr;
-	};
-	/**
-	* 按路径访问对象属性
-	* @param target 待访问对象
-	* @param property 访问属性路径
-	* @param { (target: any, property: string): any } visitor 访问器
-	*/
-	var safeVisit = function(target, path, visitor) {
-		var _a, _b;
-		var _c = __read(path.split(".")), method = _c[0], rest = _c.slice(1);
-		while (target && rest.length > 0) {
-			target = target[method];
-			_a = rest, _b = __read(_a), method = _b[0], rest = _b.slice(1);
-		}
-		if (!target) return;
-		return visitor(target, method);
-	};
-	function safeStringify(a) {
-		try {
-			return isString(a) ? a : JSON.stringify(a);
-		} catch (err) {
-			return "[FAILED_TO_STRINGIFY]:" + String(err);
-		}
-	}
-	function createContextAgent() {
-		var context = {};
-		var stringified = {};
-		var contextAgent = {
-			set: function(k, v) {
-				context[k] = v;
-				stringified[k] = safeStringify(v);
-				return contextAgent;
-			},
-			merge: function(ctx) {
-				context = __assign(__assign({}, context), ctx);
-				Object.keys(ctx).forEach(function(key) {
-					stringified[key] = safeStringify(ctx[key]);
-				});
-				return contextAgent;
-			},
-			delete: function(k) {
-				delete context[k];
-				delete stringified[k];
-				return contextAgent;
-			},
-			clear: function() {
-				context = {};
-				stringified = {};
-				return contextAgent;
-			},
-			get: function(k) {
-				return stringified[k];
-			},
-			toString: function() {
-				return __assign({}, stringified);
-			}
-		};
-		return contextAgent;
-	}
-	var getPrintString = function() {
-		if ("".padStart) return function(str, prefixLength) {
-			if (prefixLength === void 0) prefixLength = 8;
-			return str.padStart(prefixLength, " ");
-		};
-		return function(str) {
-			return str;
-		};
-	};
-	var printString = getPrintString();
-	var errCount = 0;
-	var error = function() {
-		var args = [];
-		for (var _i = 0; _i < arguments.length; _i++) args[_i] = arguments[_i];
-		console.error.apply(console, __spreadArray([
-			"[SDK]",
-			Date.now(),
-			printString("" + errCount++)
-		], __read(args), false));
-	};
-	var warnCount = 0;
-	var warn = function() {
-		var args = [];
-		for (var _i = 0; _i < arguments.length; _i++) args[_i] = arguments[_i];
-		console.warn.apply(console, __spreadArray([
-			"[SDK]",
-			Date.now(),
-			printString("" + warnCount++)
-		], __read(args), false));
-	};
-	var isHitBySampleRate = function(sampleRate) {
-		if (Math.random() < Number(sampleRate)) return true;
-		return false;
-	};
-	var isHitByRandom = function(random, sampleRate) {
-		if (random < Number(sampleRate)) return true;
-		return false;
-	};
-	var runProcessors = function(fns) {
-		return function(e) {
-			var r = e;
-			for (var i = 0; i < fns.length; i++) if (r) try {
-				r = fns[i](r);
-			} catch (err) {
-				error(err);
-			}
-			else break;
-			return r;
-		};
-	};
-	/**
-	* 生成uuid
-	* stolen from https://github.com/kelektiv/node-uuid#readme uuid/v4
-	*
-	* @returns
-	*/
-	function mathRNG() {
-		var rnds = new Array(16);
-		var r = 0;
-		for (var i = 0; i < 16; i++) {
-			if ((i & 3) === 0) r = Math.random() * 4294967296;
-			rnds[i] = r >>> ((i & 3) << 3) & 255;
-		}
-		return rnds;
-	}
-	function bytesToUuid(buf) {
-		var byteToHex = [];
-		for (var index = 0; index < 256; ++index) byteToHex[index] = (index + 256).toString(16).substr(1);
-		var i = 0;
-		var bth = byteToHex;
-		return [
-			bth[buf[i++]],
-			bth[buf[i++]],
-			bth[buf[i++]],
-			bth[buf[i++]],
-			"-",
-			bth[buf[i++]],
-			bth[buf[i++]],
-			"-",
-			bth[buf[i++]],
-			bth[buf[i++]],
-			"-",
-			bth[buf[i++]],
-			bth[buf[i++]],
-			"-",
-			bth[buf[i++]],
-			bth[buf[i++]],
-			bth[buf[i++]],
-			bth[buf[i++]],
-			bth[buf[i++]],
-			bth[buf[i++]]
-		].join("");
-	}
-	function uuid() {
-		var rnds = mathRNG();
-		rnds[6] = rnds[6] & 15 | 64;
-		rnds[8] = rnds[8] & 63 | 128;
-		return bytesToUuid(rnds);
+	function uuid() {
+		var rnds = mathRNG();
+		rnds[6] = rnds[6] & 15 | 64;
+		rnds[8] = rnds[8] & 63 | 128;
+		return bytesToUuid(rnds);
 	}
 	function createDestroyAgent() {
 		var destroyed = false;
@@ -6476,381 +5981,905 @@ function resolveSlardarClient(moduleValue) {
 }
 const Slardar = resolveSlardarClient(import_index_cjs.default);
 //#endregion
-//#region ../../openclaw-slardar/lib/env.js
+//#region ../../openclaw-slardar/lib/env.js
+/**
+* 解析 Slardar 上报环境。
+*
+* 优先级:
+*   1. compile-time define `__SLARDAR_ENV__`(消费方 tsdown 配置注入)
+*   2. runtime env `process.env.MIAODA_SLARDAR_ENV`
+*   3. 默认 "online"(生产保守)
+*/
+function getSlardarEnv() {
+	return "online";
+}
+//#endregion
+//#region ../../openclaw-slardar/lib/init.js
+let initialized = false;
+let resolvedAppId;
+/**
+* 初始化 Slardar 上报通道。
+* 幂等:重复调用仅第一次生效;失败静默(不 rethrow)。
+*
+* 参数化设计:
+* - `bid` 由消费方传入(miaoda 家族统一用 "apaas_miaoda")
+* - `release` 由消费方读 package.json.version 传入
+* - `env` 可选,省略时走 `getSlardarEnv()`(compile-time define → process.env → "online")
+* - `appId` 可选,显式传入优先;否则读 `process.env.app_id`;都没就 undefined。
+*   通过 `getAppId()` 暴露给 `buildTelemetryFields` 自动注入到每次上报。
+*/
+function initSlardar(opts) {
+	if (initialized) return;
+	resolvedAppId = opts.appId ?? process.env.app_id ?? void 0;
+	try {
+		Slardar.init?.({
+			bid: opts.bid,
+			release: opts.release,
+			env: opts.env ?? getSlardarEnv(),
+			transport: {
+				get: ({ url, success, fail }) => {
+					return fetch(url).then((response) => response.json()).then((data) => success?.(data)).catch((error) => fail?.(error));
+				},
+				post: ({ url, data }) => {
+					const body = typeof data === "string" ? data : JSON.stringify(data);
+					return fetch(url, {
+						method: "POST",
+						headers: { "Content-Type": "application/json" },
+						body
+					}).catch(() => {});
+				}
+			}
+		});
+		Slardar.start?.();
+		initialized = true;
+	} catch {}
+}
+/**
+* 读取 init 时捕获的 appId;未 init 或 init 时既没传 opts.appId 又没 process.env.app_id → undefined。
+* 由 `buildTelemetryFields` 在 params.appId 缺失时自动 fallback。
+*/
+function getAppId() {
+	return resolvedAppId;
+}
+//#endregion
+//#region ../../openclaw-slardar/lib/shared.js
+function toStringValue(value) {
+	if (value === void 0) return void 0;
+	return String(value);
+}
+function buildTelemetryFields(params) {
+	const fields = { source: "node-plugin" };
+	const traceId = params.traceId;
+	const projectId = params.projectId;
+	const isNew = toStringValue(params.isNew);
+	const appId = params.appId ?? getAppId();
+	const agentId = params.agentId;
+	const sessionKey = params.sessionKey;
+	if (traceId) fields.trace_id = traceId;
+	if (projectId) fields.project_id = projectId;
+	if (isNew) fields.is_new = isNew;
+	if (appId) fields.app_id = appId;
+	if (agentId) fields.agent_id = agentId;
+	if (params.domain) fields.domain = params.domain;
+	if (sessionKey) fields.session_key = sessionKey;
+	return fields;
+}
+function mergeLogExtra(base, extra) {
+	const merged = { ...base };
+	for (const [key, value] of Object.entries(extra ?? {})) {
+		if (value === void 0 || value === null) continue;
+		merged[key] = typeof value === "boolean" ? String(value) : value;
+	}
+	return merged;
+}
+//#endregion
+//#region ../../openclaw-slardar/lib/report-task.js
+const DEFAULT_EVENT_NAME = "miaoda_coding_task";
+function reportTask(params) {
+	try {
+		const metrics = {};
+		const telemetryFields = buildTelemetryFields(params);
+		const durationMs = params.durationMs;
+		const sseEventCount = params.sseEventCount;
+		const reconnectCount = params.reconnectCount;
+		const createDurationMs = params.createDurationMs;
+		if (typeof durationMs === "number") metrics.duration_ms = durationMs;
+		if (typeof sseEventCount === "number") metrics.sse_event_count = sseEventCount;
+		if (typeof reconnectCount === "number") metrics.reconnect_count = reconnectCount;
+		if (typeof createDurationMs === "number") metrics.create_duration_ms = createDurationMs;
+		if (params.extraMetrics) {
+			for (const [key, value] of Object.entries(params.extraMetrics)) if (typeof value === "number") metrics[key] = value;
+		}
+		const categories = {
+			...telemetryFields,
+			is_new: telemetryFields.is_new ?? "false"
+		};
+		if (params.status) categories.status = params.status;
+		const errorType = params.errorType;
+		if (params.phase) categories.phase = params.phase;
+		if (errorType) categories.error_type = errorType.slice(0, 100);
+		if (params.extraCategories) {
+			for (const [key, value] of Object.entries(params.extraCategories)) if (typeof value === "string") categories[key] = value;
+		}
+		Slardar.sendEvent?.({
+			name: params.eventName ?? DEFAULT_EVENT_NAME,
+			metrics,
+			categories
+		});
+	} catch {}
+}
+//#endregion
+//#region ../../openclaw-slardar/lib/report-error.js
+function reportError(params) {
+	try {
+		if (!params.projectId && !params.sessionKey && !params.agentId) {}
+		const extra = mergeLogExtra(buildTelemetryFields(params), {
+			event: params.event,
+			phase: params.phase
+		});
+		const logIds = params.logIds;
+		if (logIds?.length) extra.log_ids = logIds.join(",");
+		if (params.extraCategories) {
+			for (const [key, value] of Object.entries(params.extraCategories)) if (typeof value === "string") extra[key] = value;
+		}
+		Slardar.sendLog?.({
+			content: params.error,
+			level: "error",
+			extra
+		});
+	} catch {}
+}
+//#endregion
+//#region src/install-cli.ts
+const LARK_CLI_NAME = "lark-cli";
+const AGENT_SKILLS_NAME = "agent-skills";
+const WORKSPACE_AGENT_REL = "workspace/agent";
+async function installClis(tag, ossFileMap, opts) {
+	const homeBase = resolveHomeBase(opts.homeBase);
+	if (opts.names.length === 0) throw new Error("install-cli: must provide at least one --cli=<name>");
+	const manifest = await fetchManifest(ossFileMap, tag);
+	const allClis = manifest.packages.filter((p) => p.role === "cli" && p.name !== "openclaw");
+	const wanted = new Set(opts.names);
+	let targets = allClis.filter((p) => wanted.has(p.name) || p.packageName != null && wanted.has(p.packageName));
+	const foundKeys = /* @__PURE__ */ new Set();
+	for (const t of targets) {
+		foundKeys.add(t.name);
+		if (t.packageName) foundKeys.add(t.packageName);
+	}
+	const missing = opts.names.filter((n) => !foundKeys.has(n));
+	if (missing.length > 0) throw new Error(`install-cli: not found in manifest: ${missing.join(", ")}`);
+	const withUrl = [];
+	const missingUrl = [];
+	for (const p of targets) if (ossFileMap[p.ossKey]) withUrl.push(p);
+	else missingUrl.push(p.ossKey);
+	if (missingUrl.length > 0) console.error(`[install-cli] WARN: signed URL missing for [${missingUrl.join(", ")}] — skipping`);
+	targets = withUrl;
+	if (targets.length === 0) {
+		console.error(`[install-cli] no installable targets after URL check, done`);
+		return;
+	}
+	console.error(`[install-cli] tag=${tag} targets=${targets.length}`);
+	const t0 = Date.now();
+	const tarballs = await Promise.all(targets.map(async (p) => {
+		const tb = await downloadWithCache(p, ossFileMap, opts);
+		console.error(`[install-cli]   ${p.name}: downloaded`);
+		return {
+			pkg: p,
+			tarball: tb
+		};
+	}));
+	for (const { pkg, tarball } of tarballs) {
+		installOne(pkg, tarball, homeBase, opts.tmpRoot);
+		linkBins(pkg, homeBase);
+		console.error(`[install-cli]   ${pkg.name}: installed`);
+	}
+	if (targets.some((p) => p.name === LARK_CLI_NAME)) {
+		const skillsInstallPath = await installAgentSkills(manifest, ossFileMap, opts, homeBase, opts.tmpRoot);
+		if (skillsInstallPath) linkAgentSkills(homeBase, skillsInstallPath);
+		const appIds = collectFeishuAppIds();
+		console.error(`[install-cli] lark-cli installed — running lark-cli-init for ${appIds.length} appId(s): [${appIds.join(", ")}]`);
+		for (const appId of appIds) {
+			console.error(`[install-cli] lark-cli-init: appId=${appId}`);
+			const result = runLarkCliInit({
+				appId,
+				feishuAppSecret: opts.feishuAppSecret
+			});
+			console.error(`[install-cli] lark-cli-init: appId=${appId} ok=${result.ok}` + (result.skipped ? ` skipped=true reason=${result.skipReason}` : "") + (result.error ? ` error=${result.error}` : ""));
+			const outputText = [
+				result.error,
+				result.configInitStdout,
+				result.configInitStderr
+			].join(" ");
+			if (/error/i.test(outputText)) reportError({
+				error: `lark-cli-init failed for appId=${appId}: ${result.error ?? "unknown"}`,
+				extraCategories: {
+					event: "install_cli_lark_init_failed",
+					appId
+				}
+			});
+		}
+	}
+	console.error(`[install-cli] done ${targets.length}/${targets.length} in ${Date.now() - t0}ms`);
+}
+function linkBins(pkg, homeBase) {
+	const targetDir = node_path.default.join(homeBase, pkg.installPath);
+	const pkgJsonPath = node_path.default.join(targetDir, "package.json");
+	let pkgJson;
+	try {
+		pkgJson = JSON.parse(node_fs.default.readFileSync(pkgJsonPath, "utf-8"));
+	} catch (e) {
+		console.error(`[install-cli] linkBins: could not read package.json for ${pkg.name}: ${e.message}`);
+		return;
+	}
+	const { bin } = pkgJson;
+	if (!bin) {
+		console.error(`[install-cli] linkBins: no bin field in package.json for ${pkg.name}, skipping`);
+		return;
+	}
+	const entries = typeof bin === "string" ? [[node_path.default.basename(typeof pkgJson.name === "string" ? pkgJson.name : pkg.name), bin]] : Object.entries(bin);
+	const binDir = node_path.default.join(homeBase, ".npm-global/bin");
+	node_fs.default.mkdirSync(binDir, { recursive: true });
+	for (const [binName, binFile] of entries) {
+		const binTarget = node_path.default.join(targetDir, binFile);
+		try {
+			node_fs.default.chmodSync(binTarget, 493);
+		} catch {}
+		const symlinkPath = node_path.default.join(binDir, binName);
+		const relTarget = node_path.default.relative(binDir, binTarget);
+		try {
+			node_fs.default.unlinkSync(symlinkPath);
+		} catch {}
+		node_fs.default.symlinkSync(relTarget, symlinkPath);
+		console.error(`[install-cli] linkBins: ${symlinkPath} -> ${relTarget}`);
+	}
+}
+async function installAgentSkills(manifest, ossFileMap, downloadOpts, homeBase, tmpRoot) {
+	const pkg = manifest.packages.find((p) => p.role === "template" && p.name === AGENT_SKILLS_NAME);
+	if (!pkg) {
+		console.error(`[install-cli] installAgentSkills: ${AGENT_SKILLS_NAME} not found in manifest (tag may not bundle it) — skipping skill install`);
+		return null;
+	}
+	console.error(`[install-cli] installAgentSkills: downloading ${pkg.name}@${pkg.version}`);
+	const tarball = await downloadWithCache(pkg, ossFileMap, downloadOpts);
+	const targetDir = node_path.default.join(homeBase, WORKSPACE_AGENT_REL, pkg.installPath);
+	const tmpStage = node_fs.default.mkdtempSync(node_path.default.join(tmpRoot ?? node_os.default.tmpdir(), "agent-skills-"));
+	try {
+		console.error(`[install-cli] installAgentSkills: extracting to tmpStage=${tmpStage}`);
+		extractTarballTolerant(tarball, tmpStage, { stripComponents: 1 });
+		const extracted = node_fs.default.readdirSync(tmpStage);
+		console.error(`[install-cli] installAgentSkills: extracted ${extracted.length} entries: [${extracted.join(", ")}]`);
+		const bakDir = targetDir + ".bak";
+		const newDir = targetDir + ".new";
+		node_fs.default.mkdirSync(node_path.default.dirname(targetDir), { recursive: true });
+		if (node_fs.default.existsSync(newDir)) node_fs.default.rmSync(newDir, {
+			recursive: true,
+			force: true
+		});
+		if (node_fs.default.existsSync(bakDir)) node_fs.default.rmSync(bakDir, {
+			recursive: true,
+			force: true
+		});
+		moveSafe(tmpStage, newDir);
+		const hadExisting = node_fs.default.existsSync(targetDir);
+		console.error(`[install-cli] installAgentSkills: swapping into targetDir=${targetDir} hadExisting=${hadExisting}`);
+		try {
+			if (hadExisting) moveSafe(targetDir, bakDir);
+			moveSafe(newDir, targetDir);
+		} catch (e) {
+			if (hadExisting && !node_fs.default.existsSync(targetDir) && node_fs.default.existsSync(bakDir)) try {
+				moveSafe(bakDir, targetDir);
+			} catch {}
+			try {
+				node_fs.default.rmSync(newDir, {
+					recursive: true,
+					force: true
+				});
+			} catch {}
+			throw e;
+		}
+		if (hadExisting && node_fs.default.existsSync(bakDir)) node_fs.default.rmSync(bakDir, {
+			recursive: true,
+			force: true
+		});
+		console.error(`[install-cli] installAgentSkills: done — skills installed to ${targetDir}`);
+		return pkg.installPath;
+	} finally {
+		if (node_fs.default.existsSync(tmpStage)) try {
+			node_fs.default.rmSync(tmpStage, {
+				recursive: true,
+				force: true
+			});
+		} catch {}
+	}
+}
+/**
+* (Re)create workspace/agent/skills/<name> → ../<installPath>/<name> symlinks so
+* the agent workspace sees agent-skills under the conventional skills/ directory.
+*
+* Both sides share workspace/agent/ as parent, so the relative link form is stable
+* regardless of where homeBase is mounted.
+*
+* @param homeBase  Root directory (default /home/gem). installPath is relative to
+*                  <homeBase>/workspace/agent/.
+* @param installPath  Relative path of the extracted skills dir under workspace/agent
+*                     (e.g. ".agents/skills").
+*/
+function linkAgentSkills(homeBase, installPath) {
+	const targetDir = node_path.default.join(homeBase, WORKSPACE_AGENT_REL, installPath);
+	const skillsLinkDir = node_path.default.join(homeBase, WORKSPACE_AGENT_REL, "skills");
+	if (!node_fs.default.existsSync(targetDir)) {
+		console.error(`[install-cli] linkAgentSkills: targetDir=${targetDir} does not exist — skipping`);
+		return;
+	}
+	const skillDirs = node_fs.default.readdirSync(targetDir, { withFileTypes: true }).filter((e) => e.isDirectory());
+	console.error(`[install-cli] linkAgentSkills: creating ${skillDirs.length} symlinks in ${skillsLinkDir}`);
+	node_fs.default.mkdirSync(skillsLinkDir, { recursive: true });
+	for (const entry of skillDirs) {
+		const relTarget = node_path.default.join("..", installPath, entry.name);
+		const symlinkPath = node_path.default.join(skillsLinkDir, entry.name);
+		try {
+			node_fs.default.unlinkSync(symlinkPath);
+		} catch {}
+		node_fs.default.symlinkSync(relTarget, symlinkPath);
+		console.error(`[install-cli] linkAgentSkills:   ${entry.name} -> ${relTarget}`);
+	}
+	console.error(`[install-cli] linkAgentSkills: done — ${skillDirs.length} skill(s) symlinked from ${skillsLinkDir}`);
+}
+function installOne(pkg, tarball, homeBase, tmpRoot) {
+	const targetDir = node_path.default.join(homeBase, pkg.installPath);
+	const bakDir = targetDir + ".bak";
+	const newDir = targetDir + ".new";
+	node_fs.default.mkdirSync(node_path.default.dirname(targetDir), { recursive: true });
+	if (node_fs.default.existsSync(newDir)) node_fs.default.rmSync(newDir, {
+		recursive: true,
+		force: true
+	});
+	if (node_fs.default.existsSync(bakDir)) node_fs.default.rmSync(bakDir, {
+		recursive: true,
+		force: true
+	});
+	const tmpStage = node_fs.default.mkdtempSync(node_path.default.join(tmpRoot ?? node_os.default.tmpdir(), "cli-install-"));
+	try {
+		extractTarballTolerant(tarball, tmpStage, { stripComponents: 1 });
+		if (!node_fs.default.existsSync(node_path.default.join(tmpStage, "package.json"))) throw new Error(`cli tarball missing package.json: ${pkg.name}`);
+		moveSafe(tmpStage, newDir);
+		const hadExisting = node_fs.default.existsSync(targetDir);
+		try {
+			if (hadExisting) moveSafe(targetDir, bakDir);
+			moveSafe(newDir, targetDir);
+		} catch (e) {
+			if (hadExisting && !node_fs.default.existsSync(targetDir) && node_fs.default.existsSync(bakDir)) try {
+				moveSafe(bakDir, targetDir);
+			} catch {}
+			try {
+				node_fs.default.rmSync(newDir, {
+					recursive: true,
+					force: true
+				});
+			} catch {}
+			throw e;
+		}
+		if (hadExisting && node_fs.default.existsSync(bakDir)) node_fs.default.rmSync(bakDir, {
+			recursive: true,
+			force: true
+		});
+	} finally {
+		if (node_fs.default.existsSync(tmpStage)) try {
+			node_fs.default.rmSync(tmpStage, {
+				recursive: true,
+				force: true
+			});
+		} catch {}
+	}
+}
+//#endregion
+//#region src/download-resource.ts
 /**
-* 解析 Slardar 上报环境。
+* Download + extract a config/template package to its install destination.
 *
-* 优先级:
-*   1. compile-time define `__SLARDAR_ENV__`(消费方 tsdown 配置注入)
-*   2. runtime env `process.env.MIAODA_SLARDAR_ENV`
-*   3. 默认 "online"(生产保守)
+* Current manifest has all resources as format=tgz with content at the root
+* (config: openclaw.json file at root; template: scripts/ dir at root), so we
+* always `tar -xzf` without --strip-components into `dirname(fullInstallPath)`.
+* The final artefact ends up at exactly `homeBase + pkg.installPath`.
 */
-function getSlardarEnv() {
-	return "online";
+async function downloadResource(tag, ossFileMap, opts) {
+	const homeBase = resolveHomeBase(opts.homeBase);
+	const pkg = (await fetchManifest(ossFileMap, tag)).packages.find((p) => p.role === opts.role && p.name === opts.name);
+	if (!pkg) throw new Error(`download-resource: not found in manifest: role=${opts.role} name=${opts.name}`);
+	const file = await downloadWithCache(pkg, ossFileMap, opts);
+	const fullInstallPath = node_path.default.join(homeBase, pkg.installPath);
+	const extractDir = opts.dir ?? node_path.default.dirname(fullInstallPath);
+	node_fs.default.mkdirSync(extractDir, { recursive: true });
+	const format = (pkg.format ?? "").toLowerCase();
+	const lower = pkg.ossKey.toLowerCase();
+	if (format === "tgz" || lower.endsWith(".tgz") || lower.endsWith(".tar.gz")) {
+		extractTarballTolerant(file, extractDir);
+		console.error(`[download-resource] ${opts.role}/${opts.name}: extracted to ${extractDir}`);
+	} else {
+		const basename = node_path.default.posix.basename(pkg.ossKey);
+		node_fs.default.copyFileSync(file, node_path.default.join(extractDir, basename));
+		console.error(`[download-resource] ${opts.role}/${opts.name}: copied ${basename} to ${extractDir}`);
+	}
 }
 //#endregion
-//#region ../../openclaw-slardar/lib/init.js
-let initialized = false;
-let resolvedAppId;
+//#region src/oss/getOpenclawTag.ts
 /**
-* 初始化 Slardar 上报通道。
-* 幂等:重复调用仅第一次生效;失败静默(不 rethrow)。
+* Extracts the openclaw tag from the manifest key present in ossFileMap.
+* Avoids passing an extra ctx field — we already know the tag from the
+* well-known manifest key studio_server included.
 *
-* 参数化设计:
-* - `bid` 由消费方传入(miaoda 家族统一用 "apaas_miaoda")
-* - `release` 由消费方读 package.json.version 传入
-* - `env` 可选,省略时走 `getSlardarEnv()`(compile-time define → process.env → "online")
-* - `appId` 可选,显式传入优先;否则读 `process.env.app_id`;都没就 undefined。
-*   通过 `getAppId()` 暴露给 `buildTelemetryFields` 自动注入到每次上报。
-*/
-function initSlardar(opts) {
-	if (initialized) return;
-	resolvedAppId = opts.appId ?? process.env.app_id ?? void 0;
-	try {
-		Slardar.init?.({
-			bid: opts.bid,
-			release: opts.release,
-			env: opts.env ?? getSlardarEnv(),
-			transport: {
-				get: ({ url, success, fail }) => {
-					return fetch(url).then((response) => response.json()).then((data) => success?.(data)).catch((error) => fail?.(error));
-				},
-				post: ({ url, data }) => {
-					const body = typeof data === "string" ? data : JSON.stringify(data);
-					return fetch(url, {
-						method: "POST",
-						headers: { "Content-Type": "application/json" },
-						body
-					}).catch(() => {});
-				}
-			}
-		});
-		Slardar.start?.();
-		initialized = true;
-	} catch {}
-}
-/**
-* 读取 init 时捕获的 appId;未 init 或 init 时既没传 opts.appId 又没 process.env.app_id → undefined。
-* 由 `buildTelemetryFields` 在 params.appId 缺失时自动 fallback。
+* Manifest key shape: builtin/manifests/openclaw/recommended/<tag>.json
 */
-function getAppId() {
-	return resolvedAppId;
+function getOpenclawTagFromOssFileMap(ossFileMap) {
+	const prefix = "builtin/manifests/openclaw/recommended/";
+	const suffix = ".json";
+	for (const key of Object.keys(ossFileMap)) if (key.startsWith(prefix) && key.endsWith(suffix)) return key.slice(39, -5);
+	throw new Error("cannot resolve openclaw tag: ossFileMap missing manifest key");
 }
 //#endregion
-//#region ../../openclaw-slardar/lib/shared.js
-function toStringValue(value) {
-	if (value === void 0) return void 0;
-	return String(value);
-}
-function buildTelemetryFields(params) {
-	const fields = { source: "node-plugin" };
-	const traceId = params.traceId;
-	const projectId = params.projectId;
-	const isNew = toStringValue(params.isNew);
-	const appId = params.appId ?? getAppId();
-	const agentId = params.agentId;
-	const sessionKey = params.sessionKey;
-	if (traceId) fields.trace_id = traceId;
-	if (projectId) fields.project_id = projectId;
-	if (isNew) fields.is_new = isNew;
-	if (appId) fields.app_id = appId;
-	if (agentId) fields.agent_id = agentId;
-	if (params.domain) fields.domain = params.domain;
-	if (sessionKey) fields.session_key = sessionKey;
-	return fields;
+//#region src/reset.ts
+const POLICY_KEYS = [
+	"dmPolicy",
+	"allowFrom",
+	"groupPolicy",
+	"groupAllowFrom"
+];
+const STEPS = [
+	"备份当前配置",
+	"生成默认配置",
+	"杀掉 openclaw 进程",
+	"等待沙箱初始化完成",
+	"确认 openclaw 版本",
+	"合并核心备份配置",
+	"检查启动脚本",
+	"安装扩展和CLI工具",
+	"启动并验证"
+];
+const TOTAL_STEPS = STEPS.length;
+function writeResultFile(resultFile, result) {
+	const dir = node_path.default.dirname(resultFile);
+	if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
+	const tmpPath = resultFile + ".tmp";
+	node_fs.default.writeFileSync(tmpPath, JSON.stringify(result), "utf-8");
+	moveSafe(tmpPath, resultFile);
 }
-function mergeLogExtra(base, extra) {
-	const merged = { ...base };
-	for (const [key, value] of Object.entries(extra ?? {})) {
-		if (value === void 0 || value === null) continue;
-		merged[key] = typeof value === "boolean" ? String(value) : value;
-	}
-	return merged;
+function updateProgress(resultFile, step, startedAt) {
+	writeResultFile(resultFile, {
+		status: "running",
+		step,
+		totalSteps: TOTAL_STEPS,
+		progress: STEPS[step - 1],
+		startedAt
+	});
 }
-//#endregion
-//#region ../../openclaw-slardar/lib/report-task.js
-const DEFAULT_EVENT_NAME = "miaoda_coding_task";
-function reportTask(params) {
-	try {
-		const metrics = {};
-		const telemetryFields = buildTelemetryFields(params);
-		const durationMs = params.durationMs;
-		const sseEventCount = params.sseEventCount;
-		const reconnectCount = params.reconnectCount;
-		const createDurationMs = params.createDurationMs;
-		if (typeof durationMs === "number") metrics.duration_ms = durationMs;
-		if (typeof sseEventCount === "number") metrics.sse_event_count = sseEventCount;
-		if (typeof reconnectCount === "number") metrics.reconnect_count = reconnectCount;
-		if (typeof createDurationMs === "number") metrics.create_duration_ms = createDurationMs;
-		if (params.extraMetrics) {
-			for (const [key, value] of Object.entries(params.extraMetrics)) if (typeof value === "number") metrics[key] = value;
-		}
-		const categories = {
-			...telemetryFields,
-			is_new: telemetryFields.is_new ?? "false"
-		};
-		if (params.status) categories.status = params.status;
-		const errorType = params.errorType;
-		if (params.phase) categories.phase = params.phase;
-		if (errorType) categories.error_type = errorType.slice(0, 100);
-		if (params.extraCategories) {
-			for (const [key, value] of Object.entries(params.extraCategories)) if (typeof value === "string") categories[key] = value;
-		}
-		Slardar.sendEvent?.({
-			name: params.eventName ?? DEFAULT_EVENT_NAME,
-			metrics,
-			categories
-		});
-	} catch {}
+function markDone(resultFile, startedAt) {
+	writeResultFile(resultFile, {
+		status: "done",
+		step: TOTAL_STEPS,
+		totalSteps: TOTAL_STEPS,
+		progress: "重置完成",
+		startedAt,
+		completedAt: (/* @__PURE__ */ new Date()).toISOString()
+	});
 }
-//#endregion
-//#region ../../openclaw-slardar/lib/report-error.js
-function reportError(params) {
-	try {
-		if (!params.projectId && !params.sessionKey && !params.agentId) {}
-		const extra = mergeLogExtra(buildTelemetryFields(params), {
-			event: params.event,
-			phase: params.phase
-		});
-		const logIds = params.logIds;
-		if (logIds?.length) extra.log_ids = logIds.join(",");
-		if (params.extraCategories) {
-			for (const [key, value] of Object.entries(params.extraCategories)) if (typeof value === "string") extra[key] = value;
-		}
-		Slardar.sendLog?.({
-			content: params.error,
-			level: "error",
-			extra
-		});
-	} catch {}
+function markFailed(resultFile, step, error, startedAt) {
+	writeResultFile(resultFile, {
+		status: "failed",
+		step,
+		totalSteps: TOTAL_STEPS,
+		progress: step > 0 ? STEPS[step - 1] : "初始化",
+		error,
+		startedAt,
+		completedAt: (/* @__PURE__ */ new Date()).toISOString()
+	});
 }
-//#endregion
-//#region src/install-cli.ts
-const LARK_CLI_NAME = "lark-cli";
-const AGENT_SKILLS_NAME = "agent-skills";
-const WORKSPACE_AGENT_REL = "workspace/agent";
-async function installClis(tag, ossFileMap, opts) {
-	const homeBase = resolveHomeBase(opts.homeBase);
-	if (opts.names.length === 0) throw new Error("install-cli: must provide at least one --cli=<name>");
-	const manifest = await fetchManifest(ossFileMap, tag);
-	const allClis = manifest.packages.filter((p) => p.role === "cli" && p.name !== "openclaw");
-	const wanted = new Set(opts.names);
-	const targets = allClis.filter((p) => wanted.has(p.name) || p.packageName != null && wanted.has(p.packageName));
-	const foundKeys = /* @__PURE__ */ new Set();
-	for (const t of targets) {
-		foundKeys.add(t.name);
-		if (t.packageName) foundKeys.add(t.packageName);
-	}
-	const missing = opts.names.filter((n) => !foundKeys.has(n));
-	if (missing.length > 0) throw new Error(`install-cli: not found in manifest: ${missing.join(", ")}`);
-	console.error(`[install-cli] tag=${tag} targets=${targets.length}`);
-	const t0 = Date.now();
-	const tarballs = await Promise.all(targets.map(async (p) => {
-		const tb = await downloadWithCache(p, ossFileMap, opts);
-		console.error(`[install-cli]   ${p.name}: downloaded`);
-		return {
-			pkg: p,
-			tarball: tb
-		};
-	}));
-	for (const { pkg, tarball } of tarballs) {
-		installOne(pkg, tarball, homeBase, opts.tmpRoot);
-		linkBins(pkg, homeBase);
-		console.error(`[install-cli]   ${pkg.name}: installed`);
+/**
+* Download the template assets (config/openclaw.json + template/scripts) from
+* OSS into a scratch directory so the existing step 2 (generateDefaultConfig)
+* and step 7 (copyStartupScripts) can consume them as local files — the rest
+* of the orchestrator code stays untouched.
+*
+* Called once before step 1. The caller is responsible for rm -rf'ing
+* stagedDir in a finally{} block after the reset completes (or fails).
+*/
+async function stageTemplate(openclawTag, ossFileMap, stagedDir, configDir, log) {
+	if (node_fs.default.existsSync(stagedDir)) node_fs.default.rmSync(stagedDir, {
+		recursive: true,
+		force: true
+	});
+	node_fs.default.mkdirSync(stagedDir, { recursive: true });
+	await downloadResource(openclawTag, ossFileMap, {
+		role: "config",
+		name: "openclaw.json",
+		dir: stagedDir
+	});
+	await downloadResource(openclawTag, ossFileMap, {
+		role: "template",
+		name: "scripts",
+		dir: configDir
+	});
+	log(`staged openclaw.json to ${stagedDir}, scripts directly to ${configDir}/scripts`);
+}
+/** Step 1: Backup current config as openclaw.json.bak.N */
+function backupCurrentConfig(configPath, log) {
+	if (!fileExists(configPath)) {
+		log("no existing config, skip backup");
+		return;
 	}
-	if (targets.some((p) => p.name === LARK_CLI_NAME)) {
-		const skillsInstallPath = await installAgentSkills(manifest, ossFileMap, opts, homeBase, opts.tmpRoot);
-		if (skillsInstallPath) linkAgentSkills(homeBase, skillsInstallPath);
-		const appIds = collectFeishuAppIds();
-		console.error(`[install-cli] lark-cli installed — running lark-cli-init for ${appIds.length} appId(s): [${appIds.join(", ")}]`);
-		for (const appId of appIds) {
-			console.error(`[install-cli] lark-cli-init: appId=${appId}`);
-			const result = runLarkCliInit({
-				appId,
-				feishuAppSecret: opts.feishuAppSecret
-			});
-			console.error(`[install-cli] lark-cli-init: appId=${appId} ok=${result.ok}` + (result.skipped ? ` skipped=true reason=${result.skipReason}` : "") + (result.error ? ` error=${result.error}` : ""));
-			const outputText = [
-				result.error,
-				result.configInitStdout,
-				result.configInitStderr
-			].join(" ");
-			if (/error/i.test(outputText)) reportError({
-				error: `lark-cli-init failed for appId=${appId}: ${result.error ?? "unknown"}`,
-				extraCategories: {
-					event: "install_cli_lark_init_failed",
-					appId
-				}
-			});
+	const dir = node_path.default.dirname(configPath);
+	let maxN = 0;
+	try {
+		for (const f of node_fs.default.readdirSync(dir)) {
+			const match = f.match(/^openclaw\.json\.bak\.(\d+)$/);
+			if (match) {
+				const n = parseInt(match[1], 10);
+				if (n > maxN) maxN = n;
+			}
 		}
+	} catch {}
+	const bakPath = configPath + ".bak." + (maxN + 1);
+	node_fs.default.copyFileSync(configPath, bakPath);
+	log(`backed up to ${bakPath}`);
+}
+/** Step 2: Replace $$__XXX__ placeholders and write default config. */
+function generateDefaultConfig(srcDir, configPath, templateVars, log) {
+	const srcConfigPath = node_path.default.join(srcDir, "openclaw.json");
+	if (!fileExists(srcConfigPath)) throw new Error("staged openclaw.json not found at " + srcConfigPath);
+	let content = node_fs.default.readFileSync(srcConfigPath, "utf-8");
+	let replaced = 0;
+	for (const [placeholder, value] of Object.entries(templateVars)) {
+		const parts = content.split(placeholder);
+		if (parts.length > 1) replaced += parts.length - 1;
+		content = parts.join(value);
 	}
-	console.error(`[install-cli] done ${targets.length}/${targets.length} in ${Date.now() - t0}ms`);
+	node_fs.default.writeFileSync(configPath, content, "utf-8");
+	log(`wrote ${configPath} (${replaced} placeholder(s) replaced, ${Object.keys(templateVars).length} provided)`);
 }
-function linkBins(pkg, homeBase) {
-	const targetDir = node_path.default.join(homeBase, pkg.installPath);
-	const pkgJsonPath = node_path.default.join(targetDir, "package.json");
-	let pkgJson;
+/** Step 3: Kill all openclaw processes. */
+function killOpenclawProcesses(log) {
 	try {
-		pkgJson = JSON.parse(node_fs.default.readFileSync(pkgJsonPath, "utf-8"));
-	} catch (e) {
-		console.error(`[install-cli] linkBins: could not read package.json for ${pkg.name}: ${e.message}`);
-		return;
-	}
-	const { bin } = pkgJson;
-	if (!bin) {
-		console.error(`[install-cli] linkBins: no bin field in package.json for ${pkg.name}, skipping`);
-		return;
-	}
-	const entries = typeof bin === "string" ? [[node_path.default.basename(typeof pkgJson.name === "string" ? pkgJson.name : pkg.name), bin]] : Object.entries(bin);
-	const binDir = node_path.default.join(homeBase, ".npm-global/bin");
-	node_fs.default.mkdirSync(binDir, { recursive: true });
-	for (const [binName, binFile] of entries) {
-		const binTarget = node_path.default.join(targetDir, binFile);
+		shell("pkill -f openclaw-gateway || true", 5e3);
+	} catch {}
+	shell("sleep 2", 5e3);
+	log("killed openclaw-gateway processes");
+}
+/**
+* Step 4: Wait for the sandbox's own init (init_sandbox.sh / concurrent npm
+* install) to finish before we start our own work. Two processes sharing
+* ~/.npm cache + competing for disk/network just makes everything crawl;
+* letting init finish first is the cleanest way to get exclusive access.
+* Polls every 10s up to `maxWaitMs`. If the deadline is hit we fall through
+* anyway — better to try than to fail the reset outright.
+*
+* Kept even after we switched off `npm install` because the sandbox init
+* script still runs `npm install` for other packages and holds cache locks.
+*/
+function waitForInitNpm(maxWaitMs, log) {
+	const deadline = Date.now() + maxWaitMs;
+	const ownPid = String(process.pid);
+	let polls = 0;
+	while (Date.now() < deadline) {
+		polls++;
+		let running = 0;
 		try {
-			node_fs.default.chmodSync(binTarget, 493);
-		} catch {}
-		const symlinkPath = node_path.default.join(binDir, binName);
-		const relTarget = node_path.default.relative(binDir, binTarget);
+			const out = shell(`pgrep -af "init_sandbox.sh|npm install|npm i " | grep -v -- "${ownPid}" | wc -l`, 1e4);
+			running = parseInt(out.trim(), 10) || 0;
+		} catch {
+			log(`poll ${polls}: no concurrent npm, proceeding`);
+			return;
+		}
+		if (running === 0) {
+			log(`poll ${polls}: no concurrent npm, proceeding`);
+			return;
+		}
+		log(`poll ${polls}: ${running} concurrent npm/init process(es) still running, waiting 10s`);
 		try {
-			node_fs.default.unlinkSync(symlinkPath);
+			shell("sleep 10", 12e3);
 		} catch {}
-		node_fs.default.symlinkSync(relTarget, symlinkPath);
-		console.error(`[install-cli] linkBins: ${symlinkPath} -> ${relTarget}`);
 	}
+	log(`deadline (${maxWaitMs}ms) hit after ${polls} poll(s), proceeding anyway`);
 }
-async function installAgentSkills(manifest, ossFileMap, downloadOpts, homeBase, tmpRoot) {
-	const pkg = manifest.packages.find((p) => p.role === "template" && p.name === AGENT_SKILLS_NAME);
-	if (!pkg) {
-		console.error(`[install-cli] installAgentSkills: ${AGENT_SKILLS_NAME} not found in manifest (tag may not bundle it) — skipping skill install`);
-		return null;
-	}
-	console.error(`[install-cli] installAgentSkills: downloading ${pkg.name}@${pkg.version}`);
-	const tarball = await downloadWithCache(pkg, ossFileMap, downloadOpts);
-	const targetDir = node_path.default.join(homeBase, WORKSPACE_AGENT_REL, pkg.installPath);
-	const tmpStage = node_fs.default.mkdtempSync(node_path.default.join(tmpRoot ?? node_os.default.tmpdir(), "agent-skills-"));
-	try {
-		console.error(`[install-cli] installAgentSkills: extracting to tmpStage=${tmpStage}`);
-		extractTarballTolerant(tarball, tmpStage, { stripComponents: 1 });
-		const extracted = node_fs.default.readdirSync(tmpStage);
-		console.error(`[install-cli] installAgentSkills: extracted ${extracted.length} entries: [${extracted.join(", ")}]`);
-		const bakDir = targetDir + ".bak";
-		const newDir = targetDir + ".new";
-		node_fs.default.mkdirSync(node_path.default.dirname(targetDir), { recursive: true });
-		if (node_fs.default.existsSync(newDir)) node_fs.default.rmSync(newDir, {
-			recursive: true,
-			force: true
-		});
-		if (node_fs.default.existsSync(bakDir)) node_fs.default.rmSync(bakDir, {
-			recursive: true,
-			force: true
-		});
-		moveSafe(tmpStage, newDir);
-		const hadExisting = node_fs.default.existsSync(targetDir);
-		console.error(`[install-cli] installAgentSkills: swapping into targetDir=${targetDir} hadExisting=${hadExisting}`);
-		try {
-			if (hadExisting) moveSafe(targetDir, bakDir);
-			moveSafe(newDir, targetDir);
-		} catch (e) {
-			if (hadExisting && !node_fs.default.existsSync(targetDir) && node_fs.default.existsSync(bakDir)) try {
-				moveSafe(bakDir, targetDir);
-			} catch {}
-			try {
-				node_fs.default.rmSync(newDir, {
-					recursive: true,
-					force: true
+/**
+* Step 5: Install openclaw from the OSS-provided tarball at the target tag,
+* then verify `openclaw --version` output contains that tag. No npm involved.
+*/
+async function step5InstallOpenclaw(openclawTag, ossFileMap, log) {
+	log(`install-openclaw tag=${openclawTag}`);
+	await installOpenclaw(openclawTag, ossFileMap);
+	const out = shell("openclaw --version 2>&1 || true", 1e4).trim();
+	if (!out.includes(openclawTag)) throw new Error(`openclaw version verify failed: got "${out}"`);
+	log(`openclaw version verified: ${out}`);
+}
+/** Step 6: Merge coreBackup from resetData + ensure allowedOrigins. */
+function mergeCoreBackupAndOrigins(configPath, vars, resetData, log) {
+	const JSON5 = loadJSON5();
+	const backup = resetData.coreBackup;
+	if (backup) {
+		const config = JSON5.parse(node_fs.default.readFileSync(configPath, "utf-8"));
+		const merged = [];
+		const backupAccounts = backup.channels?.feishu?.accounts;
+		const isMultiAgent = (backup.agents?.length ?? 0) > 0 || backupAccounts != null && Object.keys(backupAccounts).length > 0;
+		if (backup.bindings && backup.bindings.length > 0) {
+			config.bindings = backup.bindings;
+			merged.push("bindings");
+		}
+		if (isMultiAgent) {
+			if (backup.agents && backup.agents.length > 0) {
+				if (!config.agents) config.agents = {};
+				const agents = config.agents;
+				if (!Array.isArray(agents.list)) agents.list = [];
+				const configDir = node_path.default.dirname(configPath);
+				for (const agent of backup.agents) agents.list.push({
+					id: agent.id,
+					name: agent.id,
+					workspace: agent.workspace,
+					agentDir: configDir + "/agents/" + agent.id + "/agent"
 				});
-			} catch {}
-			throw e;
+				merged.push(`agents(+${backup.agents.length})`);
+				const list = agents.list;
+				let mainIdx = list.findIndex((a) => a.id === "main");
+				if (mainIdx < 0) {
+					list.unshift({ id: "main" });
+					mainIdx = 0;
+				}
+				list[mainIdx].subagents = { allowAgents: ["*"] };
+				list[mainIdx].default = true;
+				merged.push("main-team-mode");
+			}
+			if (!config.channels) config.channels = {};
+			const ch = config.channels;
+			if (!ch.feishu) ch.feishu = {};
+			const feishu = ch.feishu;
+			if (!feishu.accounts) feishu.accounts = {};
+			const accounts = feishu.accounts;
+			if (backupAccounts && Object.keys(backupAccounts).length > 0) {
+				Object.assign(accounts, backupAccounts);
+				merged.push("channels.feishu.accounts");
+			}
+			if (typeof feishu.appId === "string" && feishu.appId !== "") {
+				const topAppId = feishu.appId;
+				const botKey = `bot-${topAppId}`;
+				const existing = asRecord(accounts[botKey]) ?? {};
+				if (!existing.appId) existing.appId = topAppId;
+				if (!existing.appSecret && feishu.appSecret !== void 0) existing.appSecret = feishu.appSecret;
+				for (const k of POLICY_KEYS) if (feishu[k] !== void 0 && !(k in existing)) existing[k] = feishu[k];
+				accounts[botKey] = existing;
+				delete feishu.appId;
+				delete feishu.appSecret;
+				for (const k of POLICY_KEYS) delete feishu[k];
+				merged.push(`feishu.appId→${botKey}`);
+				if (!Array.isArray(config.bindings)) config.bindings = [];
+				const bindingList = config.bindings;
+				if (!bindingList.some((b) => b.agentId === "main" && asRecord(b.match)?.channel === "feishu")) {
+					bindingList.unshift({
+						agentId: "main",
+						match: {
+							channel: "feishu",
+							accountId: botKey
+						}
+					});
+					merged.push(`binding:main→${botKey}`);
+				}
+			}
+			delete accounts.default;
+			delete accounts.defaultAccount;
 		}
-		if (hadExisting && node_fs.default.existsSync(bakDir)) node_fs.default.rmSync(bakDir, {
-			recursive: true,
-			force: true
-		});
-		console.error(`[install-cli] installAgentSkills: done — skills installed to ${targetDir}`);
-		return pkg.installPath;
-	} finally {
-		if (node_fs.default.existsSync(tmpStage)) try {
-			node_fs.default.rmSync(tmpStage, {
-				recursive: true,
-				force: true
-			});
-		} catch {}
+		node_fs.default.writeFileSync(configPath, JSON.stringify(config, null, 2), "utf-8");
+		log(`merged from coreBackup: [${merged.join(", ") || "nothing"}]`);
+	} else log("no coreBackup in resetData, skip multi-agent merge");
+	const expectedOrigins = Array.isArray(vars.expectedOrigins) ? vars.expectedOrigins : [];
+	if (expectedOrigins.length === 0) {
+		log("no expectedOrigins provided");
+		return;
+	}
+	const config = JSON5.parse(node_fs.default.readFileSync(configPath, "utf-8"));
+	if (!config.gateway) config.gateway = {};
+	const gw = config.gateway;
+	if (!gw.controlUi) gw.controlUi = {};
+	const cui = gw.controlUi;
+	const current = Array.isArray(cui.allowedOrigins) ? cui.allowedOrigins.filter((o) => typeof o === "string") : [];
+	if (current.includes("*")) {
+		log("allowedOrigins already contains \"*\", skip origin merge");
+		return;
+	}
+	const seen = new Set(current);
+	const added = [];
+	const mergedOrigins = [...current];
+	for (const o of expectedOrigins) if (!seen.has(o)) {
+		mergedOrigins.push(o);
+		seen.add(o);
+		added.push(o);
 	}
+	cui.allowedOrigins = mergedOrigins;
+	node_fs.default.writeFileSync(configPath, JSON.stringify(config, null, 2), "utf-8");
+	log(`allowedOrigins: added ${added.length} (${JSON.stringify(added)}), total now ${mergedOrigins.length}`);
 }
 /**
-* (Re)create workspace/agent/skills/<name> → ../<installPath>/<name> symlinks so
-* the agent workspace sees agent-skills under the conventional skills/ directory.
+* Step 7: Verify startup scripts landed in configDir/scripts/.
 *
-* Both sides share workspace/agent/ as parent, so the relative link form is stable
-* regardless of where homeBase is mounted.
+* Scripts are extracted directly to configDir/scripts/ during stageTemplate —
+* there's no intermediate copy any more. This step is now a verification gate
+* (rather than a copy action) so the step count stays at 9 and we fail early
+* if the template tgz didn't carry a scripts/ dir.
+*/
+function verifyStartupScripts(configDir, log) {
+	const targetScriptsDir = node_path.default.join(configDir, "scripts");
+	if (!node_fs.default.existsSync(targetScriptsDir)) throw new Error(`scripts dir missing at ${targetScriptsDir} — template download failed?`);
+	log(`scripts dir present at ${targetScriptsDir}`);
+}
+/**
+* Step 8: Install all extensions AND CLI tools listed in the OSS manifest at
+* `openclawTag`. Extensions use installExtension (role=extension); CLI tools
+* use installClis (role=cli, excluding 'openclaw' which has its own step 5).
 *
-* @param homeBase  Root directory (default /home/gem). installPath is relative to
-*                  <homeBase>/workspace/agent/.
-* @param installPath  Relative path of the extracted skills dir under workspace/agent
-*                     (e.g. ".agents/skills").
+* skipConfigUpdate=true for extensions: reset regenerates openclaw.json via
+* template (step 2) + merges backup/origins (step 6), so splicing
+* plugins.installs here would be overwritten. CLI tools don't touch
+* openclaw.json at all.
+*
+* feishuAppSecret is passed through for lark-cli post-install init
+* (lark-cli config init --app-secret-stdin). Absent/empty is fine — installClis
+* treats it as optional and falls back to config-stored secret.
 */
-function linkAgentSkills(homeBase, installPath) {
-	const targetDir = node_path.default.join(homeBase, WORKSPACE_AGENT_REL, installPath);
-	const skillsLinkDir = node_path.default.join(homeBase, WORKSPACE_AGENT_REL, "skills");
-	if (!node_fs.default.existsSync(targetDir)) {
-		console.error(`[install-cli] linkAgentSkills: targetDir=${targetDir} does not exist — skipping`);
-		return;
+async function step8InstallAll(openclawTag, ossFileMap, feishuAppSecret, log) {
+	log(`install-extension --all tag=${openclawTag}`);
+	await installExtension(openclawTag, ossFileMap, {
+		all: true,
+		skipConfigUpdate: true
+	});
+	log("extensions installed");
+	const cliNames = (await fetchManifest(ossFileMap, openclawTag)).packages.filter((p) => p.role === "cli" && p.name !== "openclaw").map((p) => p.name);
+	if (cliNames.length > 0) {
+		log(`install-cli names=[${cliNames.join(",")}] tag=${openclawTag}`);
+		await installClis(openclawTag, ossFileMap, {
+			names: cliNames,
+			feishuAppSecret
+		});
+		log(`cli tools installed: ${cliNames.join(",")}`);
+	} else log("no cli packages in manifest, skip");
+}
+/** Step 9: Write secrets/provider key files and restart openclaw. */
+function writeSecretsAndRestart(vars, resetData, configDir, log) {
+	if (resetData.secretsContent && vars.secretsFilePath) {
+		writeFile(vars.secretsFilePath, resetData.secretsContent);
+		log(`wrote secrets to ${vars.secretsFilePath}`);
 	}
-	const skillDirs = node_fs.default.readdirSync(targetDir, { withFileTypes: true }).filter((e) => e.isDirectory());
-	console.error(`[install-cli] linkAgentSkills: creating ${skillDirs.length} symlinks in ${skillsLinkDir}`);
-	node_fs.default.mkdirSync(skillsLinkDir, { recursive: true });
-	for (const entry of skillDirs) {
-		const relTarget = node_path.default.join("..", installPath, entry.name);
-		const symlinkPath = node_path.default.join(skillsLinkDir, entry.name);
-		try {
-			node_fs.default.unlinkSync(symlinkPath);
-		} catch {}
-		node_fs.default.symlinkSync(relTarget, symlinkPath);
-		console.error(`[install-cli] linkAgentSkills:   ${entry.name} -> ${relTarget}`);
+	if (resetData.providerKeyContent && vars.providerFilePath) {
+		writeFile(vars.providerFilePath, resetData.providerKeyContent);
+		log(`wrote provider key to ${vars.providerFilePath}`);
 	}
-	console.error(`[install-cli] linkAgentSkills: done — ${skillDirs.length} skill(s) symlinked from ${skillsLinkDir}`);
+	const restartScript = "/opt/force/bin/openclaw_scripts/restart.sh";
+	if (fileExists(restartScript)) {
+		const t = Date.now();
+		shell(`bash '${restartScript}'`, 3e4);
+		log(`restart.sh done in ${Date.now() - t}ms`);
+	} else log(`no restart.sh at ${restartScript}, skip`);
 }
-function installOne(pkg, tarball, homeBase, tmpRoot) {
-	const targetDir = node_path.default.join(homeBase, pkg.installPath);
-	const bakDir = targetDir + ".bak";
-	const newDir = targetDir + ".new";
-	node_fs.default.mkdirSync(node_path.default.dirname(targetDir), { recursive: true });
-	if (node_fs.default.existsSync(newDir)) node_fs.default.rmSync(newDir, {
-		recursive: true,
-		force: true
+async function runReset(input, taskId, resultFile) {
+	const startedAt = (/* @__PURE__ */ new Date()).toISOString();
+	const { configPath, vars, resetData } = input;
+	const configDir = node_path.default.dirname(configPath);
+	const stagedDir = node_path.default.join(DIAGNOSE_DIR, `reset-${taskId}-template`);
+	let currentStep = 0;
+	let stepStartedAt = Date.now();
+	const stepResults = [];
+	const log = makeLogger(resetLogFile(taskId));
+	log(`=== reset started, taskId=${taskId}, pid=${process.pid} ===`);
+	log(`configPath=${configPath}, configDir=${configDir}, stagedDir=${stagedDir}`);
+	log(`vars: feishuAppID=${vars.feishuAppID || "(empty)"} feishuAppSecret=${vars.feishuAppSecret ? "***" : "(empty)"} expectedOrigins=${JSON.stringify(vars.expectedOrigins ?? [])} recommendedTag=${vars.recommendedOpenclawTag ?? "(none)"}`);
+	const ossFileMap = resetData.ossFileMap;
+	if (!ossFileMap || Object.keys(ossFileMap).length === 0) {
+		const err = "resetData.ossFileMap missing or empty";
+		log(`ERROR: ${err}`);
+		markFailed(resultFile, 0, err, startedAt);
+		return {
+			success: false,
+			steps: stepResults,
+			error: err,
+			failedStep: 0
+		};
+	}
+	let openclawTag;
+	if (resetData.openclawTag) openclawTag = resetData.openclawTag;
+	else try {
+		openclawTag = getOpenclawTagFromOssFileMap(ossFileMap);
+	} catch (e) {
+		const err = e.message;
+		log(`ERROR: ${err}`);
+		markFailed(resultFile, 0, err, startedAt);
+		return {
+			success: false,
+			steps: stepResults,
+			error: err,
+			failedStep: 0
+		};
+	}
+	log(`openclawTag=${openclawTag}, ossFileMap keys=${Object.keys(ossFileMap).length}`);
+	const cb = resetData.coreBackup;
+	log(`coreBackup: ${cb ? `agents=${cb.agents?.length ?? 0} bindings=${cb.bindings?.length ?? 0} feishuAccounts=${Object.keys(cb.channels?.feishu?.accounts ?? {}).join(", ") || "(none)"}` : "none"}`);
+	process.on("uncaughtException", (err) => {
+		log(`FATAL uncaughtException: ${err.message}\n${err.stack ?? ""}`);
+		markFailed(resultFile, currentStep, `uncaught exception: ${err.message}`, startedAt);
+		process.exit(1);
 	});
-	if (node_fs.default.existsSync(bakDir)) node_fs.default.rmSync(bakDir, {
-		recursive: true,
-		force: true
+	process.on("unhandledRejection", (reason) => {
+		log(`FATAL unhandledRejection: ${String(reason)}`);
+		markFailed(resultFile, currentStep, `unhandled rejection: ${reason}`, startedAt);
+		process.exit(1);
 	});
-	const tmpStage = node_fs.default.mkdtempSync(node_path.default.join(tmpRoot ?? node_os.default.tmpdir(), "cli-install-"));
-	try {
-		extractTarballTolerant(tarball, tmpStage, { stripComponents: 1 });
-		if (!node_fs.default.existsSync(node_path.default.join(tmpStage, "package.json"))) throw new Error(`cli tarball missing package.json: ${pkg.name}`);
-		moveSafe(tmpStage, newDir);
-		const hadExisting = node_fs.default.existsSync(targetDir);
-		try {
-			if (hadExisting) moveSafe(targetDir, bakDir);
-			moveSafe(newDir, targetDir);
-		} catch (e) {
-			if (hadExisting && !node_fs.default.existsSync(targetDir) && node_fs.default.existsSync(bakDir)) try {
-				moveSafe(bakDir, targetDir);
-			} catch {}
-			try {
-				node_fs.default.rmSync(newDir, {
-					recursive: true,
-					force: true
-				});
-			} catch {}
-			throw e;
+	/** Advance to the next step, recording the previous step's success
+	*  duration and updating the on-disk progress file. */
+	const step = (n) => {
+		if (currentStep > 0) {
+			const dur = Date.now() - stepStartedAt;
+			log(`step ${currentStep} "${STEPS[currentStep - 1]}" done in ${dur}ms`);
+			stepResults.push({
+				step: currentStep,
+				name: STEPS[currentStep - 1],
+				status: "ok",
+				durationMs: dur
+			});
 		}
-		if (hadExisting && node_fs.default.existsSync(bakDir)) node_fs.default.rmSync(bakDir, {
-			recursive: true,
-			force: true
+		currentStep = n;
+		stepStartedAt = Date.now();
+		log(`--- step ${n}/${TOTAL_STEPS}: ${STEPS[n - 1]} ---`);
+		updateProgress(resultFile, n, startedAt);
+	};
+	try {
+		await stageTemplate(openclawTag, ossFileMap, stagedDir, configDir, log);
+		step(1);
+		backupCurrentConfig(configPath, log);
+		step(2);
+		generateDefaultConfig(stagedDir, configPath, resetData.templateVars, log);
+		step(3);
+		killOpenclawProcesses(log);
+		step(4);
+		waitForInitNpm(10 * 6e4, log);
+		step(5);
+		await step5InstallOpenclaw(openclawTag, ossFileMap, log);
+		step(6);
+		mergeCoreBackupAndOrigins(configPath, vars, resetData, log);
+		step(7);
+		verifyStartupScripts(configDir, log);
+		step(8);
+		await step8InstallAll(openclawTag, ossFileMap, vars.feishuAppSecret || void 0, log);
+		step(9);
+		writeSecretsAndRestart(vars, resetData, configDir, log);
+		const lastDur = Date.now() - stepStartedAt;
+		log(`step 9 "${STEPS[8]}" done in ${lastDur}ms`);
+		stepResults.push({
+			step: 9,
+			name: STEPS[8],
+			status: "ok",
+			durationMs: lastDur
+		});
+		log("=== reset completed successfully ===");
+		markDone(resultFile, startedAt);
+		return {
+			success: true,
+			steps: stepResults
+		};
+	} catch (e) {
+		const err = e.message;
+		const dur = Date.now() - stepStartedAt;
+		log(`ERROR in step ${currentStep} "${STEPS[currentStep - 1] ?? "init"}" after ${dur}ms: ${err}\n${e.stack ?? ""}`);
+		stepResults.push({
+			step: currentStep,
+			name: STEPS[currentStep - 1] ?? "init",
+			status: "fail",
+			durationMs: dur,
+			error: err
 		});
+		markFailed(resultFile, currentStep, err, startedAt);
+		return {
+			success: false,
+			steps: stepResults,
+			error: err,
+			failedStep: currentStep
+		};
 	} finally {
-		if (node_fs.default.existsSync(tmpStage)) try {
-			node_fs.default.rmSync(tmpStage, {
+		try {
+			node_fs.default.rmSync(stagedDir, {
 				recursive: true,
 				force: true
 			});
@@ -6858,6 +6887,44 @@ function installOne(pkg, tarball, homeBase, tmpRoot) {
 	}
 }
 //#endregion
+//#region src/get-reset-task.ts
+/**
+* Long-poll for a reset task result.
+* Reads the result file every 1s for up to 30s.
+* Returns immediately on terminal states (done/failed).
+*/
+function getResetTask(taskId) {
+	const resultFile = resetResultFile(taskId);
+	const deadline = Date.now() + 3e4;
+	while (Date.now() < deadline) {
+		if (!node_fs.default.existsSync(resultFile)) {
+			sleepSync(1e3);
+			continue;
+		}
+		try {
+			const content = node_fs.default.readFileSync(resultFile, "utf-8");
+			const result = JSON.parse(content);
+			if (result.status === "done" || result.status === "failed") return result;
+		} catch {}
+		sleepSync(1e3);
+	}
+	if (node_fs.default.existsSync(resultFile)) try {
+		return JSON.parse(node_fs.default.readFileSync(resultFile, "utf-8"));
+	} catch {}
+	return {
+		status: "running",
+		progress: "等待中..."
+	};
+}
+/**
+* Synchronous sleep using Atomics.wait on a shared buffer.
+*/
+function sleepSync(ms) {
+	const buf = new SharedArrayBuffer(4);
+	const arr = new Int32Array(buf);
+	Atomics.wait(arr, 0, 0, ms);
+}
+//#endregion
 //#region src/oss/resolveOssFileMap.ts
 /**
 * Pick an OssFileMap in the order of decreasing specificity:
@@ -10038,7 +10105,7 @@ async function reportCliRun(opts) {
 //#region src/help.ts
 const BIN = "mclaw-diagnose";
 function versionBanner() {
-	return `v0.1.11`;
+	return `v0.1.12-alpha.0`;
 }
 const COMMANDS = [
 	{