@lark-apaas/openclaw-scripts-diagnose-cli 0.1.12 → 0.1.13-alpha.1

package/dist/index.cjs

@@ -52,7 +52,7 @@ node_assert = __toESM(node_assert);
 * it terse and parseable.
 */
 function getVersion() {
-	return "0.1.12";
+	return "0.1.13-alpha.1";
 }
 //#endregion
 //#region src/rule-engine/base.ts
@@ -3555,6 +3555,87 @@ CleanupInstallBackupDirsRule = __decorate([Rule({
 	level: "critical"
 })], CleanupInstallBackupDirsRule);
 //#endregion
+//#region src/rules/feishu-bot-channel-config.ts
+/**
+* Ensures each bot account's channel config is correct:
+*   1. `allowFrom` contains its own `creatorOpenID` from larkApps
+*   2. `appSecret` is either the canonical provider-ref or matches larkApps plaintext
+*/
+let FeishuBotChannelConfigRule = class FeishuBotChannelConfigRule extends DiagnoseRule {
+	validate(ctx) {
+		const larkApps = ctx.vars.larkApps;
+		if (!larkApps || larkApps.length === 0) return { pass: true };
+		const accounts = asRecord(getNestedMap(ctx.config, "channels", "feishu")?.accounts);
+		if (!accounts) return { pass: true };
+		const issues = [];
+		for (const [accountId, account] of Object.entries(accounts)) {
+			const bot = asRecord(account);
+			if (!bot) continue;
+			const appId = bot.appId;
+			if (typeof appId !== "string" || !appId.startsWith("cli_")) continue;
+			const larkApp = larkApps.find((e) => e.larkAppID === appId);
+			if (!larkApp) continue;
+			const creatorOpenID = larkApp.creatorOpenID;
+			if (typeof creatorOpenID === "string" && creatorOpenID !== "") {
+				if (!(Array.isArray(bot.allowFrom) ? bot.allowFrom : []).includes(creatorOpenID)) issues.push(`${accountId} allowFrom missing creatorOpenID ${creatorOpenID.length > 8 ? creatorOpenID.slice(0, 4) + "***" + creatorOpenID.slice(-4) : "***"}`);
+			}
+			const secret = bot.appSecret;
+			if (typeof secret === "object" && secret !== null && !Array.isArray(secret)) {
+				if (!matchMap(secret, DEFAULT_FEISHU_APP_SECRET)) issues.push(`${accountId} appSecret is a provider-ref but not the canonical one`);
+			} else if (typeof secret === "string") {
+				if (secret !== larkApp.appSecret) issues.push(`${accountId} appSecret plaintext mismatch`);
+			} else issues.push(`${accountId} appSecret has unexpected type`);
+		}
+		if (issues.length === 0) return { pass: true };
+		return {
+			pass: false,
+			message: issues.join("; ")
+		};
+	}
+	repair(ctx) {
+		const larkApps = ctx.vars.larkApps;
+		if (!larkApps || larkApps.length === 0) return;
+		const accounts = asRecord(getNestedMap(ctx.config, "channels", "feishu")?.accounts);
+		if (!accounts) return;
+		for (const [, account] of Object.entries(accounts)) {
+			const bot = asRecord(account);
+			if (!bot) continue;
+			const appId = bot.appId;
+			if (typeof appId !== "string" || !appId.startsWith("cli_")) continue;
+			const larkApp = larkApps.find((e) => e.larkAppID === appId);
+			if (!larkApp) continue;
+			const creatorOpenID = larkApp.creatorOpenID;
+			if (typeof creatorOpenID === "string" && creatorOpenID !== "") {
+				const allowFrom = Array.isArray(bot.allowFrom) ? [...bot.allowFrom] : [];
+				if (!allowFrom.includes(creatorOpenID)) {
+					allowFrom.push(creatorOpenID);
+					bot.allowFrom = allowFrom;
+				}
+			}
+			const secret = bot.appSecret;
+			let needsFix = false;
+			if (typeof secret === "object" && secret !== null && !Array.isArray(secret)) {
+				if (!matchMap(secret, DEFAULT_FEISHU_APP_SECRET)) needsFix = true;
+			} else if (typeof secret === "string") {
+				if (secret !== larkApp.appSecret) needsFix = true;
+			} else needsFix = true;
+			if (needsFix) bot.appSecret = { ...DEFAULT_FEISHU_APP_SECRET };
+		}
+	}
+};
+FeishuBotChannelConfigRule = __decorate([Rule({
+	key: "feishu_bot_channel_config",
+	description: "确保多账号飞书配置中每个 bot 账号的 allowFrom 包含其创建者 openID 且 appSecret 值正确",
+	dependsOn: [
+		"config_syntax_check",
+		"feishu_default_account",
+		"feishu_bot_id"
+	],
+	repairMode: "standard",
+	usesVars: ["larkApps"],
+	level: "critical"
+})], FeishuBotChannelConfigRule);
+//#endregion
 //#region src/check.ts
 /** Telemetry-aware entry: returns both the legacy CheckResult (for stdout)
 *  AND a DoctorReport-shape payload (for `openclaw.report_cli_run`). The
@@ -4154,9 +4235,10 @@ function makeLogger(logFile) {
 /**
 * Start an async reset task: spawn a detached child process and return the taskId.
 *
-* The child process runs: node cli.js reset --worker --task-id=xxx --ctx=base64
+* The child process runs: node cli.js reset --worker --task-id=xxx
+* The worker fetches ctx from innerApi itself — no --ctx passthrough.
 */
-function startAsyncReset(ctxBase64) {
+function startAsyncReset() {
 	const taskId = (0, node_crypto.randomUUID)();
 	const resultFile = resetResultFile(taskId);
 	const log = makeLogger(resetLogFile(taskId));
@@ -4180,8 +4262,7 @@ function startAsyncReset(ctxBase64) {
 		process.argv[1],
 		"reset",
 		"--worker",
-		`--task-id=${taskId}`,
-		`--ctx=${ctxBase64}`
+		`--task-id=${taskId}`
 	], {
 		detached: true,
 		stdio: "ignore",
@@ -6695,6 +6776,60 @@ function mergeCoreBackupAndOrigins(configPath, vars, resetData, log) {
 	log(`allowedOrigins: added ${added.length} (${JSON.stringify(added)}), total now ${mergedOrigins.length}`);
 }
 /**
+* Fix bot account allowFrom and appSecret using larkApps from innerApi.
+*
+* For each bot account (key starts with `bot-cli_`):
+*   - allowFrom must contain the bot's own creatorOpenID from larkApps
+*   - appSecret must be either the canonical provider-ref or match larkApps plaintext
+*
+* Runs after mergeCoreBackupAndOrigins so it operates on the final config state.
+*/
+function fixBotChannelConfig(configPath, larkApps, log) {
+	if (!larkApps || larkApps.length === 0) {
+		log("no larkApps data, skip bot channel config fix");
+		return;
+	}
+	const config = loadJSON5().parse(node_fs.default.readFileSync(configPath, "utf-8"));
+	const accounts = asRecord(getNestedMap(config, "channels", "feishu")?.accounts);
+	if (!accounts) {
+		log("no feishu accounts in config, skip bot channel config fix");
+		return;
+	}
+	let fixCount = 0;
+	for (const [, account] of Object.entries(accounts)) {
+		const bot = asRecord(account);
+		if (!bot) continue;
+		const appId = bot.appId;
+		if (typeof appId !== "string" || !appId.startsWith("cli_")) continue;
+		const larkApp = larkApps.find((e) => e.larkAppID === appId);
+		if (!larkApp) continue;
+		const creatorOpenID = larkApp.creatorOpenID;
+		if (typeof creatorOpenID === "string" && creatorOpenID !== "") {
+			const allowFrom = Array.isArray(bot.allowFrom) ? [...bot.allowFrom] : [];
+			if (!allowFrom.includes(creatorOpenID)) {
+				allowFrom.push(creatorOpenID);
+				bot.allowFrom = allowFrom;
+				fixCount++;
+			}
+		}
+		const secret = bot.appSecret;
+		let needsFix = false;
+		if (typeof secret === "object" && secret !== null && !Array.isArray(secret)) {
+			if (!matchMap(secret, DEFAULT_FEISHU_APP_SECRET)) needsFix = true;
+		} else if (typeof secret === "string") {
+			if (secret !== larkApp.appSecret) needsFix = true;
+		} else needsFix = true;
+		if (needsFix) {
+			bot.appSecret = { ...DEFAULT_FEISHU_APP_SECRET };
+			fixCount++;
+		}
+	}
+	if (fixCount > 0) {
+		node_fs.default.writeFileSync(configPath, JSON.stringify(config, null, 2), "utf-8");
+		log(`fixed ${fixCount} bot channel config issue(s) (allowFrom/appSecret)`);
+	} else log("bot channel config ok, no fixes needed");
+}
+/**
 * Step 7: Verify startup scripts landed in configDir/scripts/.
 *
 * Scripts are extracted directly to configDir/scripts/ during stageTemplate —
@@ -6839,6 +6974,7 @@ async function runReset(input, taskId, resultFile) {
 		await step5InstallOpenclaw(openclawTag, ossFileMap, log);
 		step(6);
 		mergeCoreBackupAndOrigins(configPath, vars, resetData, log);
+		fixBotChannelConfig(configPath, vars.larkApps, log);
 		step(7);
 		verifyStartupScripts(configDir, log);
 		step(8);
@@ -7637,7 +7773,8 @@ function normalizeCtx(raw) {
 			reset: {
 				templateVars: r.reset.templateVars ?? {},
 				coreBackup: r.reset.coreBackup
-			}
+			},
+			larkApps: Array.isArray(r.larkApps) ? r.larkApps : []
 		};
 	}
 	const vars = r.vars ?? {};
@@ -7662,7 +7799,8 @@ function normalizeCtx(raw) {
 		reset: {
 			templateVars: resetData.templateVars ?? {},
 			coreBackup: resetData.coreBackup
-		}
+		},
+		larkApps: Array.isArray(r.larkApps) ? r.larkApps : []
 	};
 }
 function fillApp(src) {
@@ -7727,7 +7865,8 @@ function buildCheckInput(raw, configPathOverride) {
 			providerFilePath: PROVIDER_FILE_PATH,
 			secretsFilePath: SECRETS_FILE_PATH,
 			templateVars: ctx.app.templateVars,
-			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag
+			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag,
+			larkApps: ctx.larkApps
 		},
 		templateVars: ctx.app.templateVars
 	};
@@ -7759,7 +7898,8 @@ function buildRepairInput(raw, configPathOverride) {
 			providerFilePath: PROVIDER_FILE_PATH,
 			secretsFilePath: SECRETS_FILE_PATH,
 			templateVars: ctx.app.templateVars,
-			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag
+			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag,
+			larkApps: ctx.larkApps
 		},
 		repairData: {
 			secretsContent: ctx.secrets.secretsContent,
@@ -7795,7 +7935,8 @@ function buildResetInput(raw, configPathOverride) {
 			providerFilePath: PROVIDER_FILE_PATH,
 			secretsFilePath: SECRETS_FILE_PATH,
 			templateVars: ctx.app.templateVars,
-			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag
+			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag,
+			larkApps: ctx.larkApps
 		},
 		resetData: {
 			templateVars: ctx.reset.templateVars,
@@ -10105,7 +10246,7 @@ async function reportCliRun(opts) {
 //#region src/help.ts
 const BIN = "mclaw-diagnose";
 function versionBanner() {
-	return `v0.1.12`;
+	return `v0.1.13-alpha.1`;
 }
 const COMMANDS = [
 	{
@@ -10528,6 +10669,20 @@ function planVarsFields(opts = {}) {
 	}
 	return [...fields].sort();
 }
+/** Check if any enabled rule declares a specific Vars field in usesVars. */
+function doesAnyRuleUseVar(field, opts = {}) {
+	const disabled = new Set(opts.disabled ?? []);
+	const only = opts.onlyRules && opts.onlyRules.length > 0 ? new Set(opts.onlyRules) : null;
+	const profile = opts.profile ?? "standard";
+	for (const rule of getAllRules()) {
+		const key = rule.meta.key;
+		if (disabled.has(key)) continue;
+		if (only && !only.has(key)) continue;
+		if (!isProfileEnabled(rule, profile)) continue;
+		if ((rule.meta.usesVars ?? []).includes(field)) return true;
+	}
+	return false;
+}
 /**
 * Plan a `populate` selector for a given subcommand.
 *
@@ -10552,6 +10707,11 @@ function planCtxPopulate(opts) {
 		profile: opts.profile
 	});
 	if (appFields.length > 0) populate.app = appFields;
+	if (doesAnyRuleUseVar("larkApps", {
+		disabled: opts.disabled,
+		onlyRules: opts.onlyRules,
+		profile: opts.profile
+	})) populate.larkApps = true;
 	if (opts.command === "repair") populate.secrets = true;
 	else if (opts.command === "reset") {
 		populate.secrets = true;
@@ -10658,8 +10818,8 @@ function getMultiFlag(args, name) {
 * case but is no longer consulted.
 */
 async function reportRun(command, rc, _raw, invocation, durationMs, outcome, slardar = {
-	scene,
-	profile,
+	scene: void 0,
+	profile: "standard",
 	fix: false
 }) {
 	console.error(`${command}: telemetry calling report_cli_run`);
@@ -10819,27 +10979,15 @@ async function main() {
 			break;
 		}
 		case "reset":
-			if (args.includes("--async")) {
-				const ctxArg = args.find((a) => a.startsWith("--ctx="));
-				let ctxBase64;
-				if (ctxArg) ctxBase64 = ctxArg.slice(6);
-				else {
-					const fetched = await fetchCtxViaInnerApi({
-						populate: planCtxPopulate({ command: "reset" }),
-						caller,
-						traceId
-					});
-					ctxBase64 = Buffer.from(JSON.stringify(fetched), "utf-8").toString("base64");
-				}
-				console.log(JSON.stringify(startAsyncReset(ctxBase64)));
-			} else if (args.includes("--worker")) {
+			if (args.includes("--async")) console.log(JSON.stringify(startAsyncReset()));
+			else if (args.includes("--worker")) {
 				const taskId = args.find((a) => a.startsWith("--task-id="))?.slice(10);
 				if (!taskId) {
 					console.error("Error: --task-id=<id> is required for worker");
 					node_process.default.exit(1);
 				}
 				const resultFile = resetResultFile(taskId);
-				const raw = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
+				const raw = await fetchCtxViaInnerApi({
 					populate: planCtxPopulate({ command: "reset" }),
 					caller,
 					traceId
@@ -10863,7 +11011,7 @@ async function main() {
 					return;
 				}
 			} else {
-				console.error("Usage: reset --async [--ctx=<base64>] | reset --worker --task-id=<id> [--ctx=<base64>]");
+				console.error("Usage: reset --async | reset --worker --task-id=<id>");
 				node_process.default.exit(1);
 			}
 			break;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lark-apaas/openclaw-scripts-diagnose-cli",
-  "version": "0.1.12",
+  "version": "0.1.13-alpha.1",
   "description": "CLI for OpenClaw config diagnose and repair with JSON5 support",
   "main": "dist/index.cjs",
   "bin": {