npm - @lark-apaas/openclaw-scripts-diagnose-cli - Versions diffs - 0.1.14-alpha.11 → 0.1.14-alpha.12 - Mend

@lark-apaas/openclaw-scripts-diagnose-cli 0.1.14-alpha.11 → 0.1.14-alpha.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.cjs +774 -228
package/package.json +1 -1

package/dist/index.cjs CHANGED Viewed

@@ -52,7 +52,7 @@ node_assert = __toESM(node_assert);
 * it terse and parseable.
 */
 function getVersion() {
-	return "0.1.14-alpha.11";
+	return "0.1.14-alpha.12";
 }
 //#endregion
 //#region src/rule-engine/base.ts
@@ -3347,7 +3347,6 @@ function resolveUpgradeDirection(installed, ocCur, recommendedOc, isLegacy) {
 /** 提取公共前置上下文；任何前置条件不满足时返回 null（规则 pass）。 */
 function resolveCompatContext(ctx) {
 	const recommendedOc = ctx.vars.recommendedOpenclawTag;
-	if (!recommendedOc) return null;
 	const ocCur = getOcVersion();
 	if (!ocCur) return null;
 	const installed = getInstalledPlugin(ctx);
@@ -3370,6 +3369,7 @@ let FeishuPluginOpenclawUpgradeRule = class FeishuPluginOpenclawUpgradeRule exte
 		if (!cc) return { pass: true };
 		const { ocCur, recommendedOc, installed, isLegacy } = cc;
 		if (isForkPlugin(installed)) return validateForkPlugin(installed, ocCur, recommendedOc);
+		if (!recommendedOc) return { pass: true };
 		if (resolveUpgradeDirection(installed, ocCur, recommendedOc, isLegacy) !== "openclaw") return { pass: true };
 		return {
 			pass: false,
@@ -3397,11 +3397,17 @@ let FeishuPluginLarkUpgradeRule = class FeishuPluginLarkUpgradeRule extends Diag
 		if (!cc) return { pass: true };
 		const { ocCur, recommendedOc, installed, isLegacy } = cc;
 		if (isForkPlugin(installed)) return { pass: true };
-		if (resolveUpgradeDirection(installed, ocCur, recommendedOc, isLegacy) !== "lark") return { pass: true };
+		if (!isLarkUpgradeNeededFromCC(cc)) return { pass: true };
+		const prefix = buildCompatPrefix(installed, ocCur, isLegacy);
+		if (!recommendedOc) return {
+			pass: false,
+			action: "upgrade_lark",
+			message: `${prefix}；建议升级飞书插件至兼容版本`
+		};
 		return {
 			pass: false,
 			action: "upgrade_lark",
-			message: `${buildCompatPrefix(installed, ocCur, isLegacy)}；当前 openclaw@${ocCur} 已达推荐版本，可直接升级飞书插件`
+			message: `${prefix}；当前 openclaw@${ocCur} 已达推荐版本，可直接升级飞书插件`
 		};
 	}
 };
@@ -3413,6 +3419,18 @@ FeishuPluginLarkUpgradeRule = __decorate([Rule({
 	level: "critical",
 	usesVars: ["recommendedOpenclawTag"]
 })], FeishuPluginLarkUpgradeRule);
+/**
+* Core predicate: returns true when the lark plugin needs upgrading for a
+* non-fork plugin, based on version compatibility with the current openclaw.
+*
+* Shared by FeishuPluginLarkUpgradeRule.validate and needsLarkUpgrade.
+* Callers must handle fork plugin cases before invoking this function.
+*/
+function isLarkUpgradeNeededFromCC(cc) {
+	const { ocCur, recommendedOc, installed, isLegacy } = cc;
+	if (!recommendedOc) return isLegacy || !isVersionCompatible(installed, ocCur);
+	return resolveUpgradeDirection(installed, ocCur, recommendedOc, isLegacy) === "lark";
+}
 function isForkPlugin(p) {
 	return p.scope != null && FORK_SCOPES.includes(p.scope);
 }
@@ -3451,14 +3469,16 @@ function describeCompatConstraint(entry, pluginVersion) {
 /**
 * @lark-apaas/openclaw-lark 豁免 VERSION_COMPAT_MAP，但仍要求 openclaw ≥ FORK_LARK_PLUGIN_MIN_OC_VERSION。
 * 其他 @lark-apaas scope 的 fork 插件继续无条件 pass。
+* recommendedOc 可为 undefined（doctor 模式），此时只检测最低版本要求，不指定目标升级版本。
 */
 function validateForkPlugin(installed, ocCur, recommendedOc) {
 	if (installed.fullName !== FORK_LARK_PLUGIN_FULL_NAME) return { pass: true };
 	if (compareCalVer(ocCur, FORK_LARK_PLUGIN_MIN_OC_VERSION) >= 0) return { pass: true };
+	const recommendation = recommendedOc ? `；将 openclaw 升级到 ${recommendedOc} 即可满足` : `；请升级 openclaw 至 ${FORK_LARK_PLUGIN_MIN_OC_VERSION} 或更高版本`;
 	return {
 		pass: false,
 		action: "upgrade_openclaw",
-		message: `飞书插件 ${describePlugin(installed)}（fork 版）要求 openclaw ≥ ${FORK_LARK_PLUGIN_MIN_OC_VERSION}，当前 openclaw@${ocCur} 低于此要求；将 openclaw 升级到 ${recommendedOc} 即可满足`
+		message: `飞书插件 ${describePlugin(installed)}（fork 版）要求 openclaw ≥ ${FORK_LARK_PLUGIN_MIN_OC_VERSION}，当前 openclaw@${ocCur} 低于此要求${recommendation}`
 	};
 }
 function describePlugin(p) {
@@ -3505,6 +3525,196 @@ function extractScopedNameFromSpec$1(spec) {
 	const at = spec.indexOf("@", 1);
 	return at === -1 ? spec : spec.slice(0, at);
 }
+/**
+* Returns true if the installed feishu plugin is version-incompatible with
+* the current openclaw (or is a legacy plugin that must be replaced).
+* Used by the upgrade_lark_needed rule and the upgrade-lark pre-check gate.
+*/
+function needsLarkUpgrade(ctx) {
+	const cc = resolveCompatContext(ctx);
+	if (!cc) return false;
+	const { ocCur, recommendedOc, installed } = cc;
+	if (isForkPlugin(installed)) {
+		if (recommendedOc) return false;
+		if (installed.fullName === FORK_LARK_PLUGIN_FULL_NAME) return compareCalVer(ocCur, FORK_LARK_PLUGIN_MIN_OC_VERSION) < 0;
+		return false;
+	}
+	return isLarkUpgradeNeededFromCC(cc);
+}
+//#endregion
+//#region src/channels-probe.ts
+const FEISHU_INVALID_CONFIG_MSG = "channels.feishu: invalid config: must NOT have additional properties";
+const CHANNEL_LINE_RE = /^-\s+Feishu\s+([^:]+):\s+(.+)$/;
+/**
+* Port of Python `_account_is_working` from the feishu-channel-success-rate skill.
+*
+* Strips colon-prefixed key:value bits (dm:, bot:, in:, out:, token:, allow:,
+* intents:, groups:, health:) and evaluates the canonical health formula.
+*
+* @param ignoreProbeFailed  When true, "probe failed" is not treated as a
+*   failure condition. Use this when checking whether channels are structurally
+*   working for upgrade-gate purposes (probe failures indicate network issues,
+*   not plugin misconfiguration).
+*/
+function accountIsWorking(bits, ignoreProbeFailed = true) {
+	const bitTokens = /* @__PURE__ */ new Set();
+	let hasError = false;
+	let hasProbeFailed = false;
+	for (const raw of bits) {
+		const b = raw.trim();
+		if (!b) continue;
+		if (b.startsWith("error:")) {
+			hasError = true;
+			continue;
+		}
+		if (b === "probe failed") {
+			hasProbeFailed = true;
+			continue;
+		}
+		bitTokens.add(b.split(":")[0]);
+	}
+	if (!bitTokens.has("enabled") || !bitTokens.has("configured")) return false;
+	if (bitTokens.has("works")) return true;
+	if (bitTokens.has("running") && !hasError && (ignoreProbeFailed || !hasProbeFailed)) return true;
+	return false;
+}
+/**
+* Parse the raw stdout of `openclaw channels status --probe`.
+* Port of Python `extract_channels_probe` from the feishu-channel-success-rate skill.
+*/
+function parseChannelsProbeOutput(text, { ignoreProbeFailed = true } = {}) {
+	const gatewayReachable = text.includes("Gateway reachable");
+	const feishuConfigInvalid = text.includes(FEISHU_INVALID_CONFIG_MSG);
+	const accounts = [];
+	let anyAccountWorking = false;
+	for (const line of text.split("\n")) {
+		const m = CHANNEL_LINE_RE.exec(line.trim());
+		if (!m) continue;
+		const [, acct, rest] = m;
+		const bits = rest.split(",").map((b) => b.trim());
+		const isWorking = accountIsWorking(bits, ignoreProbeFailed);
+		if (isWorking) anyAccountWorking = true;
+		accounts.push({
+			id: acct.trim(),
+			bits,
+			isWorking,
+			raw: line.trim()
+		});
+	}
+	return {
+		gatewayReachable,
+		feishuConfigInvalid,
+		accounts,
+		anyAccountWorking
+	};
+}
+/**
+* Run `openclaw channels status --probe` and return a structured result.
+*
+* The command may exit non-zero when some bot accounts fail their probe — that
+* is still useful output.  We therefore try to parse stdout even when the
+* process exits with a non-zero code, falling back to an unavailable result
+* only when there is genuinely no output to parse.
+*
+* @param timeoutMs         Maximum wait time.  Default is 60 s because v2026.4.x
+*   lacks a per-request HTTP timeout and can block indefinitely.
+* @param ignoreProbeFailed When true, accounts with "probe failed" are still
+*   counted as working.  Pass true for upgrade-gate checks where probe failures
+*   reflect network conditions rather than plugin misconfiguration.
+*/
+function runChannelsProbe(timeoutMs = 6e4, { ignoreProbeFailed = true } = {}) {
+	let stdout = "";
+	let stderrText = "";
+	let execError;
+	try {
+		stdout = (0, node_child_process.execSync)("openclaw channels status --probe", {
+			encoding: "utf-8",
+			timeout: timeoutMs,
+			stdio: [
+				"ignore",
+				"pipe",
+				"pipe"
+			]
+		});
+	} catch (e) {
+		const err = e;
+		const stdoutRaw = err.stdout;
+		stdout = typeof stdoutRaw === "string" ? stdoutRaw : stdoutRaw?.toString("utf-8") ?? "";
+		execError = err.message;
+		const stderrRaw = err.stderr;
+		stderrText = (typeof stderrRaw === "string" ? stderrRaw : stderrRaw?.toString("utf-8") ?? "").trim();
+		if (stderrText) console.error(`channels-probe: stderr from CLI: ${stderrText}`);
+	}
+	if (stdout.trim()) return {
+		available: true,
+		...parseChannelsProbeOutput(stdout, { ignoreProbeFailed })
+	};
+	return {
+		available: false,
+		gatewayReachable: false,
+		feishuConfigInvalid: stderrText.includes(FEISHU_INVALID_CONFIG_MSG),
+		accounts: [],
+		anyAccountWorking: false,
+		error: execError ?? "no output from openclaw channels status --probe"
+	};
+}
+//#endregion
+//#region src/rules/upgrade-lark-needed.ts
+/**
+* Detects the condition that warrants running `upgrade-lark`:
+*   - feishu plugin version incompatible with current openclaw, OR
+*   - openclaw channels status --probe reports feishu channel config invalid; AND
+*   - channels are not working.
+*
+* Both conditions must be true simultaneously. If version is compatible and
+* feishu config is valid, or channels are working, the rule passes (no action needed).
+*
+* feishuConfigInvalid is read from the channels probe output rather than running a
+* separate `openclaw status` call, since only `openclaw channels status --probe`
+* reliably surfaces the schema validation error.
+*
+* profile: experimental — runs only in full sweep mode, not in standard doctor.
+* level: silent — telemetry/sweep-only, does not trigger page-level repair UI.
+*/
+let UpgradeLarkNeededRule = class UpgradeLarkNeededRule extends DiagnoseRule {
+	validate(ctx) {
+		let versionIncompatible = false;
+		try {
+			versionIncompatible = needsLarkUpgrade(ctx);
+		} catch {
+			versionIncompatible = true;
+		}
+		let probeResult;
+		try {
+			probeResult = runChannelsProbe(6e4);
+		} catch {
+			probeResult = {
+				available: false,
+				gatewayReachable: false,
+				feishuConfigInvalid: false,
+				accounts: [],
+				anyAccountWorking: false
+			};
+		}
+		const feishuConfigInvalid = probeResult.feishuConfigInvalid;
+		if (!(versionIncompatible || feishuConfigInvalid)) return { pass: true };
+		if (probeResult.anyAccountWorking) return { pass: true };
+		return {
+			pass: false,
+			action: "upgrade_lark",
+			message: `飞书插件需要升级且 channels 不可用（版本不兼容=${versionIncompatible}, feishu配置无效=${feishuConfigInvalid}），建议执行 upgrade-lark 命令升级飞书插件`
+		};
+	}
+};
+UpgradeLarkNeededRule = __decorate([Rule({
+	key: "upgrade_lark_needed",
+	description: "检测飞书插件版本不兼容且 channels 不可用，判断是否需要执行 upgrade-lark 升级",
+	dependsOn: ["config_syntax_check"],
+	repairMode: "check-only",
+	level: "silent",
+	profile: "experimental",
+	usesVars: ["recommendedOpenclawTag"]
+})], UpgradeLarkNeededRule);
 //#endregion
 //#region src/rules/cleanup-install-backup-dirs.ts
 const DIR_PREFIX = ".openclaw-install-";
@@ -3650,117 +3860,6 @@ LarkCliMissingForInstalledLarkPluginRule = __decorate([Rule({
 	usesVars: ["recommendedOpenclawTag"]
 })], LarkCliMissingForInstalledLarkPluginRule);
 //#endregion
-//#region src/rules/feishu-bot-channel-config.ts
-/**
-* Ensures each bot account's channel config is correct:
-*   1. `allowFrom` contains its own `creatorOpenID` from larkApps
-*   2. `appSecret` is either the canonical provider-ref or matches larkApps plaintext
-*
-* Covers both multi-account (channels.feishu.accounts) and single-account
-* (channels.feishu.appId + allowFrom at top level) layouts.
-*/
-let FeishuBotChannelConfigRule = class FeishuBotChannelConfigRule extends DiagnoseRule {
-	validate(ctx) {
-		const larkApps = ctx.vars.larkApps;
-		if (!larkApps || larkApps.length === 0) return { pass: true };
-		const feishu = asRecord(getNestedMap(ctx.config, "channels", "feishu"));
-		if (!feishu) return { pass: true };
-		const issues = [];
-		const accounts = asRecord(feishu.accounts);
-		if (accounts) for (const [accountId, account] of Object.entries(accounts)) {
-			const bot = asRecord(account);
-			if (!bot) continue;
-			const appId = bot.appId;
-			if (typeof appId !== "string" || !appId.startsWith("cli_")) continue;
-			const larkApp = larkApps.find((e) => e.larkAppID === appId);
-			if (!larkApp) continue;
-			this.checkBot(accountId, bot, larkApp, issues);
-		}
-		const singleAppId = feishu.appId;
-		if (typeof singleAppId === "string" && singleAppId.startsWith("cli_") && !accounts) {
-			const larkApp = larkApps.find((e) => e.larkAppID === singleAppId);
-			if (larkApp) this.checkBot("feishu", feishu, larkApp, issues);
-		}
-		if (issues.length === 0) return { pass: true };
-		return {
-			pass: false,
-			message: issues.join("; ")
-		};
-	}
-	/** Check a single bot entry (either an account object or the feishu channel itself).
-	*  appSecret is validated based on its current type:
-	*  - object → must match canonical provider-ref
-	*  - string → must match larkApps plaintext
-	*/
-	checkBot(label, bot, larkApp, issues) {
-		const creatorOpenID = larkApp.creatorOpenID;
-		const allowFrom = Array.isArray(bot.allowFrom) ? bot.allowFrom : [];
-		if (typeof creatorOpenID === "string" && creatorOpenID !== "") {
-			if (!allowFrom.includes(creatorOpenID)) issues.push(`${label} allowFrom missing creatorOpenID ${creatorOpenID.length > 8 ? creatorOpenID.slice(0, 4) + "***" + creatorOpenID.slice(-4) : "***"}`);
-		} else if (allowFrom.length === 0) issues.push(`${label} allowFrom is empty (creatorOpenID unavailable, cannot auto-fix)`);
-		const secret = bot.appSecret;
-		if (typeof secret === "object" && secret !== null && !Array.isArray(secret)) {
-			if (!matchMap(secret, DEFAULT_FEISHU_APP_SECRET)) issues.push(`${label} appSecret is a provider-ref but not the canonical one`);
-		} else if (typeof secret === "string") {
-			if (secret !== larkApp.appSecret) issues.push(`${label} appSecret plaintext mismatch`);
-		} else issues.push(`${label} appSecret has unexpected type ${typeof secret}`);
-	}
-	repair(ctx) {
-		const larkApps = ctx.vars.larkApps;
-		if (!larkApps || larkApps.length === 0) return;
-		const feishu = asRecord(getNestedMap(ctx.config, "channels", "feishu"));
-		if (!feishu) return;
-		const accounts = asRecord(feishu.accounts);
-		if (accounts) for (const [, account] of Object.entries(accounts)) {
-			const bot = asRecord(account);
-			if (!bot) continue;
-			const appId = bot.appId;
-			if (typeof appId !== "string" || !appId.startsWith("cli_")) continue;
-			const larkApp = larkApps.find((e) => e.larkAppID === appId);
-			if (!larkApp) continue;
-			this.fixBot(bot, larkApp);
-		}
-		const singleAppId = feishu.appId;
-		if (typeof singleAppId === "string" && singleAppId.startsWith("cli_") && !accounts) {
-			const larkApp = larkApps.find((e) => e.larkAppID === singleAppId);
-			if (larkApp) this.fixBot(feishu, larkApp);
-		}
-	}
-	/** Fix a single bot entry in-place.
-	*  appSecret is repaired based on its current type:
-	*  - object → fix to canonical provider-ref
-	*  - string → fix to larkApps plaintext
-	*/
-	fixBot(bot, larkApp) {
-		const creatorOpenID = larkApp.creatorOpenID;
-		if (typeof creatorOpenID === "string" && creatorOpenID !== "") {
-			const allowFrom = Array.isArray(bot.allowFrom) ? [...bot.allowFrom] : [];
-			if (!allowFrom.includes(creatorOpenID)) {
-				allowFrom.push(creatorOpenID);
-				bot.allowFrom = allowFrom;
-			}
-		}
-		const secret = bot.appSecret;
-		if (typeof secret === "object" && secret !== null && !Array.isArray(secret)) {
-			if (!matchMap(secret, DEFAULT_FEISHU_APP_SECRET)) bot.appSecret = { ...DEFAULT_FEISHU_APP_SECRET };
-		} else if (typeof secret === "string") {
-			if (secret !== larkApp.appSecret) bot.appSecret = larkApp.appSecret;
-		}
-	}
-};
-FeishuBotChannelConfigRule = __decorate([Rule({
-	key: "feishu_bot_channel_config",
-	description: "确保飞书配置中 bot 账号的 allowFrom 包含其创建者 openID 且 appSecret 值正确",
-	dependsOn: [
-		"config_syntax_check",
-		"feishu_default_account",
-		"feishu_bot_id"
-	],
-	repairMode: "standard",
-	usesVars: ["larkApps"],
-	level: "critical"
-})], FeishuBotChannelConfigRule);
-//#endregion
 //#region src/check.ts
 /** Telemetry-aware entry: returns both the legacy CheckResult (for stdout)
 *  AND a DoctorReport-shape payload (for `openclaw.report_cli_run`). The
@@ -4224,6 +4323,9 @@ const PROVIDER_FILE_PATH = "/home/gem/workspace/.force/openclaw/miaoda-provider-
 const SECRETS_FILE_PATH = "/home/gem/workspace/.force/openclaw/miaoda-openclaw-secrets.json";
 /** Absolute path to the openclaw config JSON. */
 const CONFIG_PATH = `${WORKSPACE_DIR}/openclaw.json`;
+function upgradeLarkLogFile(runId) {
+	return `${DIAGNOSE_DIR}/upgrade-lark-${(/* @__PURE__ */ new Date()).toISOString().slice(0, 19).replace(/:/g, "-")}-${runId.slice(0, 8)}.log`;
+}
 //#endregion
 //#region src/run-log.ts
 let currentRunContext;
@@ -4360,10 +4462,9 @@ function makeLogger(logFile) {
 /**
 * Start an async reset task: spawn a detached child process and return the taskId.
 *
-* The child process runs: node cli.js reset --worker --task-id=xxx
-* The worker fetches ctx from innerApi itself — no --ctx passthrough.
+* The child process runs: node cli.js reset --worker --task-id=xxx --ctx=base64
 */
-function startAsyncReset() {
+function startAsyncReset(ctxBase64) {
 	const taskId = (0, node_crypto.randomUUID)();
 	const resultFile = resetResultFile(taskId);
 	const log = makeLogger(resetLogFile(taskId));
@@ -4387,7 +4488,8 @@ function startAsyncReset() {
 		process.argv[1],
 		"reset",
 		"--worker",
-		`--task-id=${taskId}`
+		`--task-id=${taskId}`,
+		`--ctx=${ctxBase64}`
 	], {
 		detached: true,
 		stdio: "ignore",
@@ -6901,60 +7003,6 @@ function mergeCoreBackupAndOrigins(configPath, vars, resetData, log) {
 	log(`allowedOrigins: added ${added.length} (${JSON.stringify(added)}), total now ${mergedOrigins.length}`);
 }
 /**
-* Fix bot account allowFrom and appSecret using larkApps from innerApi.
-*
-* For each bot account (key starts with `bot-cli_`):
-*   - allowFrom must contain the bot's own creatorOpenID from larkApps
-*   - appSecret must be either the canonical provider-ref or match larkApps plaintext
-*
-* Runs after mergeCoreBackupAndOrigins so it operates on the final config state.
-*/
-function fixBotChannelConfig(configPath, larkApps, log) {
-	if (!larkApps || larkApps.length === 0) {
-		log("no larkApps data, skip bot channel config fix");
-		return;
-	}
-	const config = loadJSON5().parse(node_fs.default.readFileSync(configPath, "utf-8"));
-	const accounts = asRecord(getNestedMap(config, "channels", "feishu")?.accounts);
-	if (!accounts) {
-		log("no feishu accounts in config, skip bot channel config fix");
-		return;
-	}
-	let fixCount = 0;
-	for (const [, account] of Object.entries(accounts)) {
-		const bot = asRecord(account);
-		if (!bot) continue;
-		const appId = bot.appId;
-		if (typeof appId !== "string" || !appId.startsWith("cli_")) continue;
-		const larkApp = larkApps.find((e) => e.larkAppID === appId);
-		if (!larkApp) continue;
-		const creatorOpenID = larkApp.creatorOpenID;
-		if (typeof creatorOpenID === "string" && creatorOpenID !== "") {
-			const allowFrom = Array.isArray(bot.allowFrom) ? [...bot.allowFrom] : [];
-			if (!allowFrom.includes(creatorOpenID)) {
-				allowFrom.push(creatorOpenID);
-				bot.allowFrom = allowFrom;
-				fixCount++;
-			}
-		}
-		const secret = bot.appSecret;
-		let needsFix = false;
-		if (typeof secret === "object" && secret !== null && !Array.isArray(secret)) {
-			if (!matchMap(secret, DEFAULT_FEISHU_APP_SECRET)) needsFix = true;
-		} else if (typeof secret === "string") {
-			if (secret !== larkApp.appSecret) needsFix = true;
-		} else needsFix = true;
-		if (needsFix) {
-			bot.appSecret = { ...DEFAULT_FEISHU_APP_SECRET };
-			fixCount++;
-		}
-	}
-	if (fixCount > 0) {
-		node_fs.default.writeFileSync(configPath, JSON.stringify(config, null, 2), "utf-8");
-		log(`fixed ${fixCount} bot channel config issue(s) (allowFrom/appSecret)`);
-	} else log("bot channel config ok, no fixes needed");
-}
-/**
 * Step 7: Verify startup scripts landed in configDir/scripts/.
 *
 * Scripts are extracted directly to configDir/scripts/ during stageTemplate —
@@ -7099,7 +7147,6 @@ async function runReset(input, taskId, resultFile) {
 		await step5InstallOpenclaw(openclawTag, ossFileMap, log);
 		step(6);
 		mergeCoreBackupAndOrigins(configPath, vars, resetData, log);
-		fixBotChannelConfig(configPath, vars.larkApps, log);
 		step(7);
 		verifyStartupScripts(configDir, log);
 		step(8);
@@ -7898,8 +7945,7 @@ function normalizeCtx(raw) {
 			reset: {
 				templateVars: r.reset.templateVars ?? {},
 				coreBackup: r.reset.coreBackup
-			},
-			larkApps: Array.isArray(r.larkApps) ? r.larkApps : []
+			}
 		};
 	}
 	const vars = r.vars ?? {};
@@ -7924,8 +7970,7 @@ function normalizeCtx(raw) {
 		reset: {
 			templateVars: resetData.templateVars ?? {},
 			coreBackup: resetData.coreBackup
-		},
-		larkApps: Array.isArray(r.larkApps) ? r.larkApps : []
+		}
 	};
 }
 function fillApp(src) {
@@ -7990,8 +8035,7 @@ function buildCheckInput(raw, configPathOverride) {
 			providerFilePath: PROVIDER_FILE_PATH,
 			secretsFilePath: SECRETS_FILE_PATH,
 			templateVars: ctx.app.templateVars,
-			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag,
-			larkApps: ctx.larkApps
+			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag
 		},
 		templateVars: ctx.app.templateVars
 	};
@@ -8023,8 +8067,7 @@ function buildRepairInput(raw, configPathOverride) {
 			providerFilePath: PROVIDER_FILE_PATH,
 			secretsFilePath: SECRETS_FILE_PATH,
 			templateVars: ctx.app.templateVars,
-			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag,
-			larkApps: ctx.larkApps
+			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag
 		},
 		repairData: {
 			secretsContent: ctx.secrets.secretsContent,
@@ -8060,8 +8103,7 @@ function buildResetInput(raw, configPathOverride) {
 			providerFilePath: PROVIDER_FILE_PATH,
 			secretsFilePath: SECRETS_FILE_PATH,
 			templateVars: ctx.app.templateVars,
-			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag,
-			larkApps: ctx.larkApps
+			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag
 		},
 		resetData: {
 			templateVars: ctx.reset.templateVars,
@@ -10371,7 +10413,7 @@ async function reportCliRun(opts) {
 //#region src/help.ts
 const BIN = "mclaw-diagnose";
 function versionBanner() {
-	return `v0.1.14-alpha.11`;
+	return `v0.1.14-alpha.12`;
 }
 const COMMANDS = [
 	{
@@ -10475,12 +10517,16 @@ EXIT CODES
 		hidden: true,
 		summary: "Run rule-engine check only",
 		help: `USAGE
-  ${BIN} check
+  ${BIN} check [--ctx=<base64>]
 DESCRIPTION
   Runs the rule engine against the sandbox's current openclaw config and
-  returns { failedRules }. Ctx is fetched from innerapi automatically.
-  End-users should prefer \`doctor\`.
+  returns { failedRules }. Used by sandbox_console's push-style callers
+  that already own the ctx — end-users should prefer \`doctor\`.
+OPTIONS
+  --ctx=<base64>   Opaque ctx JSON (base64). When absent, fetched from
+                   innerapi (same path as doctor).
 `
 	},
 	{
@@ -10488,11 +10534,16 @@ DESCRIPTION
 		hidden: true,
 		summary: "Apply standard-mode repairs",
 		help: `USAGE
-  ${BIN} repair
+  ${BIN} repair [--ctx=<base64>]
 DESCRIPTION
-  Runs repair for the failing rules. Ctx is fetched from innerapi
-  automatically. End-users should use \`doctor --fix\` instead.
+  Runs repair for the failing rules listed inside the ctx's repairData.
+  Intended for sandbox_console's push path — end-users should use
+  \`doctor --fix\` instead.
+OPTIONS
+  --ctx=<base64>   Opaque ctx JSON (base64). When absent, fetched from
+                   innerapi.
 `
 	},
 	{
@@ -10500,15 +10551,14 @@ DESCRIPTION
 		hidden: true,
 		summary: "Re-initialize sandbox via the 9-step reset pipeline",
 		help: `USAGE
-  ${BIN} reset --async
-  ${BIN} reset --worker --task-id=<id>
+  ${BIN} reset --async  [--ctx=<base64>]
+  ${BIN} reset --worker --task-id=<id> [--ctx=<base64>]
 DESCRIPTION
   Two-phase pipeline driven asynchronously: the --async invocation spawns
   a detached worker and returns { taskId } immediately; the --worker
   invocation (spawned by --async) runs the actual 9 steps and writes
   progress to /tmp/openclaw-diagnose/reset-<taskId>.json.
-  Ctx is fetched from innerapi automatically.
   Poll progress with \`${BIN} get_reset_task --task-id=<id>\`.
@@ -10516,6 +10566,7 @@ OPTIONS
   --async           Start a detached worker and return taskId on stdout.
   --worker          Internal — run the 9-step pipeline (launched by --async).
   --task-id=<id>    Required with --worker; identifies the progress file.
+  --ctx=<base64>    Opaque ctx JSON; fetched from innerapi when absent.
 `
 	},
 	{
@@ -10538,7 +10589,7 @@ OPTIONS
 		hidden: true,
 		summary: "Download + install the openclaw tarball",
 		help: `USAGE
-  ${BIN} install-openclaw <tag> [--oss_file_map=<base64>]
+  ${BIN} install-openclaw <tag> [--ctx=<base64> | --oss_file_map=<base64>]
 DESCRIPTION
   Downloads the openclaw@<tag> tgz via the signed OSS URL found in the
@@ -10550,9 +10601,9 @@ ARGUMENTS
   <tag>                Openclaw version tag, e.g. 2026.4.11.
 OPTIONS
+  --ctx=<base64>       Opaque ctx; ossFileMap is extracted from it.
   --oss_file_map=...   Pre-built OSS URL map (base64 JSON); skips innerapi
-                       entirely. When absent, ossFileMap is fetched from
-                       innerapi automatically.
+                       entirely. Wins over --ctx when both provided.
 `
 	},
 	{
@@ -10578,7 +10629,8 @@ OPTIONS
   --home_base=<dir>    Override the /home/gem base (tests).
   --config_path=<p>    Override the openclaw.json path (tests).
   --skip-config-update Leave plugins.installs in openclaw.json untouched.
-  --oss_file_map=...   Pre-built OSS URL map (base64 JSON); skips innerapi.
+  --ctx=<base64>       Opaque ctx; see install-openclaw for semantics.
+  --oss_file_map=...   Pre-built OSS URL map (base64 JSON).
 `
 	},
 	{
@@ -10605,6 +10657,7 @@ OPTIONS
   --cli=<name>         CLI package to install by short name or scoped
                        packageName (repeatable, at least one required).
   --home_base=<dir>    Override the /home/gem base (tests).
+  --ctx=<base64>       Opaque ctx; ossFileMap is extracted from it.
   --oss_file_map=...   Pre-built OSS URL map (base64 JSON); skips innerapi.
 EXAMPLES
@@ -10658,6 +10711,46 @@ OPTIONS
 EXIT CODES
   0    Success or skipped (prerequisites not met).
   1    Secret/path unresolvable, lark-cli failed, or config unreadable.
+`
+	},
+	{
+		name: "upgrade-lark",
+		hidden: false,
+		summary: "Upgrade the Feishu/Lark plugin via @larksuite/openclaw-lark-tools",
+		help: `USAGE
+  ${BIN} upgrade-lark [--scene=<scene>] [--caller=<n>] [--trace-id=<id>]
+DESCRIPTION
+  Upgrades the Feishu/Lark plugin by running:
+    npx -y @larksuite/openclaw-lark-tools update --use-existing
+  Before the upgrade, the following files are backed up:
+    - openclaw.json
+    - extensions/openclaw-lark/  (if present)
+    - extensions/feishu-openclaw-plugin/  (if present)
+  After the upgrade, the result is validated:
+    - feishu.accounts bot count must not decrease
+    - gateway config structure must remain valid (port/mode/bind/auth/trustedProxies)
+  If the upgrade command fails, or validation fails, the backed-up files are
+  restored to roll back the changes.
+  Execution is logged to /tmp/openclaw-diagnose/upgrade-lark-<runId>.log.
+  Output is a single JSON object on stdout:
+    { "ok": true, "stdout": "...", "stderr": "...", "logFile": "..." }
+    { "ok": false, "error": "...", "stderr": "...", "exitCode": 1,
+      "rollbackOk": true, "validationError": "...", "logFile": "..." }
+OPTIONS
+  --scene=<scene>    Telemetry label forwarded to Slardar only.
+                     Known values: PageUpgradeLark, etc. Custom strings accepted.
+  --caller=<name>    Optional metadata passed to innerapi.
+  --trace-id=<id>    Optional log-correlation id.
+EXIT CODES
+  0    Success: upgrade ran and all validations passed.
+  1    Failure: npx error, validation failed, or git commit failed.
+       File rollback was attempted (see rollbackOk in the JSON output).
 `
 	},
 	{
@@ -10691,6 +10784,41 @@ EXAMPLES
   ${BIN} rules                         # all rules
   ${BIN} rules --rule=gateway          # single rule
   ${BIN} rules --rule=gateway --rule=feishu_channel  # multiple rules
+`
+	},
+	{
+		name: "channels-probe",
+		hidden: true,
+		summary: "Check feishu channel health via openclaw channels status --probe",
+		help: `USAGE
+  ${BIN} channels-probe [--timeout=<ms>]
+DESCRIPTION
+  Runs \`openclaw channels status --probe\` and returns a structured JSON
+  summary of whether the current environment's feishu channels are
+  configured and working correctly.
+  Output:
+    {
+      "available": true,
+      "gatewayReachable": true,
+      "accounts": [
+        { "id": "default", "bits": ["enabled","configured","running","works"],
+          "isWorking": true, "raw": "- Feishu default: ..." }
+      ],
+      "anyAccountWorking": true
+    }
+  An account is considered working when:
+    enabled ∧ configured ∧ ( works ∨ ( running ∧ no error: ∧ no probe failed ) )
+  "available": false means the CLI invocation itself failed (openclaw not
+  found, gateway unreachable, or no parseable output returned).
+OPTIONS
+  --timeout=<ms>   Max wait in milliseconds (default: 60000).  The probe
+                   can hang indefinitely on openclaw v2026.4.x due to a
+                   missing per-request HTTP timeout — set this accordingly.
 `
 	},
 	{
@@ -10711,7 +10839,8 @@ OPTIONS
   --role=<role>        Package role (e.g. template, config).
   --name=<name>        Package name within the role.
   --dir=<dir>          Target dir (defaults to dirname(pkg.installPath)).
-  --oss_file_map=...   Pre-built OSS URL map (base64 JSON); skips innerapi.
+  --ctx=<base64>       Opaque ctx; ossFileMap is extracted from it.
+  --oss_file_map=...   Pre-built OSS URL map (base64 JSON).
 `
 	}
 ];
@@ -10787,31 +10916,31 @@ function planVarsFields(opts = {}) {
 *
 * Per-command group needs:
 *
-*   doctor / check    app + larkApps
-*   repair            app + secrets + larkApps
-*   reset             app + secrets + install + reset + larkApps
+*   doctor / check    app (rule-driven)
+*   repair            app + secrets   (writes secretsContent / providerKeyContent)
+*   reset             app + secrets + install + reset (the works)
 *   install-*         install only
 *
 * Empty result (`{}`) means "no group needed" — the CLI can skip the
 * `fetchCtxViaInnerApi` call entirely and run with a synthetic empty ctx.
+* Happens e.g. when the user pinned `--rule=<key>` to a vars-free rule on
+* `doctor`.
 */
 function planCtxPopulate(opts) {
 	if (opts.command === "install") return { install: true };
 	const populate = {};
-	if (planVarsFields({
+	const appFields = planVarsFields({
 		disabled: opts.disabled,
 		onlyRules: opts.onlyRules,
 		profile: opts.profile
-	}).length > 0) populate.app = true;
-	if (opts.command === "repair") {
-		populate.secrets = true;
-		populate.larkApps = true;
-	} else if (opts.command === "reset") {
+	});
+	if (appFields.length > 0) populate.app = appFields;
+	if (opts.command === "repair") populate.secrets = true;
+	else if (opts.command === "reset") {
 		populate.secrets = true;
 		populate.install = true;
 		populate.reset = true;
-		populate.larkApps = true;
-	} else if (opts.command === "doctor" || opts.command === "check") populate.larkApps = true;
+	}
 	return populate;
 }
 //#endregion
@@ -10865,11 +10994,372 @@ function reportDoctorRunToSlardar(opts) {
 		}
 	});
 }
+function readLogFile(filePath) {
+	try {
+		return node_fs.default.readFileSync(filePath, "utf-8");
+	} catch {
+		return "";
+	}
+}
+function reportUpgradeLarkToSlardar(opts) {
+	console.error(`[slardar] upgrade_lark_run scene=${opts.scene ?? ""} success=${opts.success} exitCode=${opts.exitCode ?? ""} rollbackOk=${opts.rollbackOk ?? ""}`);
+	const logContent = readLogFile(opts.logFile);
+	reportTask({
+		eventName: "upgrade_lark_run",
+		durationMs: opts.durationMs,
+		status: opts.success ? "success" : "failed",
+		extraCategories: {
+			scene: opts.scene ?? "",
+			exit_code: String(opts.exitCode ?? ""),
+			rollback_ok: opts.rollbackOk != null ? String(opts.rollbackOk) : "",
+			validation_error: opts.validationError ?? "",
+			error_msg: opts.error ?? "",
+			log_content: logContent
+		}
+	});
+}
+//#endregion
+//#region src/upgrade-lark.ts
+/** Plugin directories under extensions/ that are backed up before upgrade */
+const FEISHU_PLUGIN_DIRS = ["openclaw-lark", "feishu-openclaw-plugin"];
+function backupFiles(opts) {
+	const { workspaceDir, configPath, backupDir, log } = opts;
+	try {
+		node_fs.default.mkdirSync(backupDir, { recursive: true });
+		log(`backup dir: ${backupDir}`);
+		if (node_fs.default.existsSync(configPath)) {
+			const stat = node_fs.default.statSync(configPath);
+			node_fs.default.copyFileSync(configPath, node_path.default.join(backupDir, "openclaw.json"));
+			log(`  backed up: openclaw.json (${stat.size} bytes)`);
+		} else log(`  skipped: openclaw.json (not found)`);
+		const extSrc = node_path.default.join(workspaceDir, "extensions");
+		for (const pluginDir of FEISHU_PLUGIN_DIRS) {
+			const src = node_path.default.join(extSrc, pluginDir);
+			if (node_fs.default.existsSync(src)) {
+				const dst = node_path.default.join(backupDir, "extensions", pluginDir);
+				node_fs.default.cpSync(src, dst, { recursive: true });
+				const version = readPkgVersion(node_path.default.join(src, "package.json"));
+				log(`  backed up: extensions/${pluginDir}${version ? ` (version: ${version})` : ""}`);
+			} else log(`  skipped: extensions/${pluginDir} (not found)`);
+		}
+		return { ok: true };
+	} catch (e) {
+		return {
+			ok: false,
+			error: `backup failed: ${e.message}`
+		};
+	}
+}
+function restoreFiles(opts) {
+	const { workspaceDir, configPath, backupDir, log } = opts;
+	try {
+		const configBackup = node_path.default.join(backupDir, "openclaw.json");
+		if (node_fs.default.existsSync(configBackup)) {
+			node_fs.default.copyFileSync(configBackup, configPath);
+			log(`  restored: openclaw.json`);
+		}
+		const extDst = node_path.default.join(workspaceDir, "extensions");
+		for (const pluginDir of FEISHU_PLUGIN_DIRS) {
+			const backupSrc = node_path.default.join(backupDir, "extensions", pluginDir);
+			if (node_fs.default.existsSync(backupSrc)) {
+				const dst = node_path.default.join(extDst, pluginDir);
+				if (node_fs.default.existsSync(dst)) node_fs.default.rmSync(dst, {
+					recursive: true,
+					force: true
+				});
+				node_fs.default.cpSync(backupSrc, dst, { recursive: true });
+				log(`  restored: extensions/${pluginDir}`);
+			}
+		}
+		return true;
+	} catch (e) {
+		log(`  restore error: ${e.message}`);
+		return false;
+	}
+}
+function readPkgVersion(pkgPath) {
+	try {
+		const pkg = JSON.parse(node_fs.default.readFileSync(pkgPath, "utf-8"));
+		return typeof pkg.version === "string" ? pkg.version : null;
+	} catch {
+		return null;
+	}
+}
+function snapshotVersions(cwd, log) {
+	const ocResult = (0, node_child_process.spawnSync)("openclaw", ["--version"], {
+		cwd,
+		encoding: "utf-8",
+		stdio: [
+			"ignore",
+			"pipe",
+			"pipe"
+		],
+		timeout: 5e3
+	});
+	const ocRaw = (ocResult.stdout ?? "").trim() || (ocResult.stderr ?? "").trim();
+	const extDir = node_path.default.join(cwd, "extensions");
+	const larkPkg = node_path.default.join(extDir, "openclaw-lark", "package.json");
+	const feishuPkg = node_path.default.join(extDir, "feishu-openclaw-plugin", "package.json");
+	log(`  version-check paths: ${larkPkg} [${node_fs.default.existsSync(larkPkg) ? "exists" : "missing"}]`);
+	log(`  version-check paths: ${feishuPkg} [${node_fs.default.existsSync(feishuPkg) ? "exists" : "missing"}]`);
+	return {
+		openclaw: ocRaw || null,
+		openclawLark: readPkgVersion(larkPkg),
+		feishuOpenclawPlugin: readPkgVersion(feishuPkg)
+	};
+}
+function logVersionSnapshot(label, v, log) {
+	log(`${label}: openclaw=${v.openclaw ?? "n/a"} openclaw-lark=${v.openclawLark ?? "n/a"} feishu-openclaw-plugin=${v.feishuOpenclawPlugin ?? "n/a"}`);
+}
+function countFeishuBots(configPath) {
+	try {
+		const raw = node_fs.default.readFileSync(configPath, "utf-8");
+		const config = loadJSON5().parse(raw);
+		const accounts = getNestedMap(config, "channels", "feishu", "accounts");
+		if (accounts) return Object.keys(accounts).length;
+		const feishu = getNestedMap(config, "channels", "feishu");
+		return typeof feishu?.appId === "string" && feishu.appId ? 1 : 0;
+	} catch {
+		return 0;
+	}
+}
+/** Run channels probe, log results, and return the result. Never throws. */
+function probeChannels(label, log, timeoutMs) {
+	try {
+		const r = runChannelsProbe(timeoutMs);
+		log(`  ${label} available=${r.available} anyAccountWorking=${r.anyAccountWorking}`);
+		if (r.error) log(`  ${label} error: ${r.error}`);
+		if (r.gatewayReachable != null) log(`  ${label} gatewayReachable: ${r.gatewayReachable}`);
+		for (const acct of r.accounts ?? []) log(`  ${label} account ${acct.id}: isWorking=${acct.isWorking} bits=[${acct.bits.join(",")}]`);
+		return r;
+	} catch (e) {
+		log(`  ${label} channels probe threw: ${e.message}`);
+		return {
+			available: false,
+			gatewayReachable: false,
+			feishuConfigInvalid: false,
+			accounts: [],
+			anyAccountWorking: false
+		};
+	}
+}
+function runUpgradeLark(opts) {
+	const cwd = opts.cwd ?? "/home/gem/workspace/agent";
+	const configPath = opts.configPath ?? CONFIG_PATH;
+	const logFile = upgradeLarkLogFile(opts.runId);
+	const log = makeLogger(logFile);
+	const fsOpts = {
+		workspaceDir: cwd,
+		configPath,
+		backupDir: node_path.default.join(opts.backupBaseDir ?? "/tmp/openclaw-diagnose", `upgrade-lark-backup-${opts.runId}`),
+		log
+	};
+	const cliScript = opts.cliScript ?? process.argv[1];
+	const statusCheckDelayMs = opts.statusCheckDelayMs ?? 5e3;
+	log(`${"=".repeat(60)}`);
+	log(`upgrade-lark started  runId=${opts.runId}`);
+	log(`  cwd        : ${cwd}`);
+	log(`  configPath : ${configPath}`);
+	log(`${"=".repeat(60)}`);
+	log("");
+	log("── [Pre-check A] channels probe（升级前）────────────────");
+	const beforeChannels = probeChannels("before", log, 6e4);
+	log("");
+	log("── [Pre-check B] 版本兼容预检 ───────────────────────────");
+	let versionIncompatible = false;
+	try {
+		const rawConfig = node_fs.default.readFileSync(configPath, "utf-8");
+		versionIncompatible = needsLarkUpgrade({
+			config: loadJSON5().parse(rawConfig),
+			configPath,
+			vars: {},
+			providerDeps: {
+				usesMiaodaProvider: false,
+				usesMiaodaSecretProvider: false
+			}
+		});
+		log(`  version-compat pre-check: ${versionIncompatible ? "NEEDS_UPGRADE" : "ok"}`);
+	} catch (e) {
+		log(`  version-compat pre-check error: ${e.message} — treating as needs-upgrade`);
+		versionIncompatible = true;
+	}
+	const feishuConfigInvalid = beforeChannels.feishuConfigInvalid;
+	log(`  feishu config invalid  : ${feishuConfigInvalid}`);
+	log("");
+	log("── [Gate] 升级前置条件检查 ───────────────────────────────");
+	log(`  versionIncompatible    : ${versionIncompatible}`);
+	log(`  feishuConfigInvalid    : ${feishuConfigInvalid}`);
+	log(`  channels working before: ${beforeChannels.anyAccountWorking}`);
+	if (!(versionIncompatible || feishuConfigInvalid)) {
+		const reason = "version compatible and feishu channel config valid — upgrade not needed";
+		log(`  SKIP: ${reason}`);
+		log(`${"=".repeat(60)}`);
+		log("upgrade-lark skipped (pre-check gate)");
+		log(`${"=".repeat(60)}`);
+		return {
+			ok: true,
+			skipped: true,
+			skipReason: reason,
+			logFile
+		};
+	}
+	if (beforeChannels.anyAccountWorking) {
+		const reason = "channels are working — upgrade not needed (issue detected but system is functional)";
+		log(`  SKIP: ${reason}`);
+		log(`${"=".repeat(60)}`);
+		log("upgrade-lark skipped (pre-check gate)");
+		log(`${"=".repeat(60)}`);
+		return {
+			ok: true,
+			skipped: true,
+			skipReason: reason,
+			logFile
+		};
+	}
+	log(`  PROCEED: requiresLarkUpgrade=true (version=${versionIncompatible}, feishuConfig=${feishuConfigInvalid}) AND channels not working → running upgrade`);
+	log("");
+	log("── [1/6] 文件备份 ────────────────────────────────────────");
+	log(`before-state: botCount=${countFeishuBots(configPath)}`);
+	const backup = backupFiles(fsOpts);
+	if (!backup.ok) {
+		log(`ERROR: ${backup.error}`);
+		return {
+			ok: false,
+			error: backup.error,
+			logFile
+		};
+	}
+	log("backup: ok");
+	logVersionSnapshot("before-versions", snapshotVersions(cwd, log), log);
+	log("");
+	log("── [2/6] 清理本地 openclaw shim ─────────────────────────");
+	const localOpenclawBin = node_path.default.join(cwd, "node_modules", ".bin", "openclaw");
+	if (node_fs.default.existsSync(localOpenclawBin)) try {
+		node_fs.default.rmSync(localOpenclawBin);
+		log(`  removed: ${localOpenclawBin}`);
+	} catch (e) {
+		log(`  WARN: failed to remove ${localOpenclawBin}: ${e.message}`);
+	}
+	else log(`  skipped: ${localOpenclawBin} (not found)`);
+	log("");
+	log("── [3/6] npx install (@larksuite/openclaw-lark-tools update) ──");
+	const npxResult = (0, node_child_process.spawnSync)("npx", [
+		"-y",
+		"@larksuite/openclaw-lark-tools",
+		"update"
+	], {
+		cwd,
+		encoding: "utf-8",
+		stdio: [
+			"ignore",
+			"pipe",
+			"pipe"
+		],
+		timeout: 12e4
+	});
+	const npxStdout = npxResult.stdout?.trim() ?? "";
+	const npxStderr = npxResult.stderr?.trim() ?? "";
+	const npxExitCode = npxResult.status ?? 1;
+	if (npxStdout) log(`npx stdout:\n${npxStdout}`);
+	if (npxStderr) log(`npx stderr:\n${npxStderr}`);
+	log(`npx exit: ${npxExitCode}${npxResult.error ? ` error: ${npxResult.error.message}` : ""}`);
+	if (statusCheckDelayMs > 0) {
+		log("");
+		log(`── 等待 ${statusCheckDelayMs / 1e3}s（让 openclaw 服务完成重启） ─────────────`);
+		Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, statusCheckDelayMs);
+		log("wait done");
+	}
+	const doRollback = (reason) => {
+		log(`ERROR: ${reason}`);
+		const rollbackOk = restoreFiles(fsOpts);
+		log(`rollback: ${rollbackOk ? "ok" : "FAILED"}`);
+		return {
+			ok: false,
+			error: reason,
+			validationError: reason,
+			stdout: npxStdout,
+			stderr: npxStderr,
+			exitCode: npxExitCode,
+			rollbackOk,
+			logFile
+		};
+	};
+	log("");
+	log("── [4/5] 安装后诊断校验 ─────────────────────────────────");
+	logVersionSnapshot("after-versions", snapshotVersions(cwd, log), log);
+	let afterVersionIncompatible = false;
+	try {
+		const rawConfig = node_fs.default.readFileSync(configPath, "utf-8");
+		afterVersionIncompatible = needsLarkUpgrade({
+			config: loadJSON5().parse(rawConfig),
+			configPath,
+			vars: {},
+			providerDeps: {
+				usesMiaodaProvider: false,
+				usesMiaodaSecretProvider: false
+			}
+		});
+		log(`  version-compat post-check: ${afterVersionIncompatible ? "STILL_INCOMPATIBLE" : "ok"}`);
+	} catch (e) {
+		log(`  version-compat post-check error: ${e.message} — treating as still-incompatible`);
+		afterVersionIncompatible = true;
+	}
+	const afterChannels = probeChannels("after", log, 6e4);
+	log(`  feishu config invalid after: ${afterChannels.feishuConfigInvalid}`);
+	const stillNeedsUpgrade = (afterVersionIncompatible || afterChannels.feishuConfigInvalid) && !afterChannels.anyAccountWorking;
+	log(`  post-check: stillNeedsUpgrade=${stillNeedsUpgrade} (version=${afterVersionIncompatible}, feishuConfig=${afterChannels.feishuConfigInvalid}, channelsWorking=${afterChannels.anyAccountWorking})`);
+	if (stillNeedsUpgrade) return doRollback(`post-install diagnosis still shows anomaly: versionIncompatible=${afterVersionIncompatible}, feishuConfigInvalid=${afterChannels.feishuConfigInvalid}, anyAccountWorking=${afterChannels.anyAccountWorking}`);
+	log("  post-install diagnosis: ok (upgrade conditions resolved)");
+	log("");
+	log("── [6/6] doctor --fix ────────────────────────────────────");
+	const fixArgs = ["doctor", "--fix"];
+	if (opts.scene) fixArgs.push(`--scene=${opts.scene}`);
+	const fixResult = (0, node_child_process.spawnSync)(process.execPath, [cliScript, ...fixArgs], {
+		cwd,
+		encoding: "utf-8",
+		stdio: [
+			"ignore",
+			"pipe",
+			"pipe"
+		],
+		timeout: 6e4,
+		env: process.env
+	});
+	if (fixResult.stdout?.trim()) log(`doctor(fix) stdout:\n${fixResult.stdout.trim()}`);
+	if (fixResult.stderr?.trim()) log(`doctor(fix) stderr:\n${fixResult.stderr.trim()}`);
+	log(`doctor(fix) exit: ${fixResult.status ?? "null"}${fixResult.error ? ` error: ${fixResult.error.message}` : ""}`);
+	log("");
+	log(`${"=".repeat(60)}`);
+	log("upgrade-lark completed successfully");
+	log(`${"=".repeat(60)}`);
+	return {
+		ok: true,
+		stdout: npxStdout,
+		stderr: npxStderr,
+		exitCode: npxExitCode,
+		logFile
+	};
+}
 //#endregion
 //#region src/index.ts
 const args = node_process.default.argv.slice(2);
 const mode = args.find((a) => !a.startsWith("-"));
 /**
+* Decode `--ctx=<base64>` into an opaque JSON object. Returns undefined when
+* the flag isn't present — the caller decides whether to fall back to the
+* innerapi or to error out.
+*
+* The object's shape is not enforced here; downstream code consumes it via
+* either `normalizeCtx()` (new path) or direct field access for the legacy
+* check/repair/reset contract still used by sandbox_console push.
+*/
+function parseCtxFlag(args) {
+	const ctxArg = args.find((a) => a.startsWith("--ctx="));
+	if (!ctxArg) return void 0;
+	const b64 = ctxArg.slice(6);
+	return JSON.parse(Buffer.from(b64, "base64").toString("utf-8"));
+}
+/**
 * Pull the first non-flag positional after the mode name.
 * (The mode itself is args[0] in the filtered set, so we skip index 0.)
 */
@@ -10897,8 +11387,8 @@ function getMultiFlag(args, name) {
 * case but is no longer consulted.
 */
 async function reportRun(command, rc, _raw, invocation, durationMs, outcome, slardar = {
-	scene: void 0,
-	profile: "standard",
+	scene,
+	profile,
 	fix: false
 }) {
 	console.error(`${command}: telemetry calling report_cli_run`);
@@ -10962,7 +11452,7 @@ async function main() {
 	console.error(`${mode}: begin argv=[${args.join(" ")}] version=${getVersion()} traceId=${traceId ?? "-"} caller=${caller ?? "-"} runIdGenerated=${rc.generated}`);
 	switch (mode) {
 		case "check": {
-			const raw = await fetchCtxViaInnerApi({
+			const raw = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
 				populate: planCtxPopulate({
 					command: "check",
 					profile
@@ -10987,7 +11477,7 @@ async function main() {
 			break;
 		}
 		case "repair": {
-			const raw = await fetchCtxViaInnerApi({
+			const raw = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
 				populate: planCtxPopulate({
 					command: "repair",
 					profile
@@ -11058,15 +11548,27 @@ async function main() {
 			break;
 		}
 		case "reset":
-			if (args.includes("--async")) console.log(JSON.stringify(startAsyncReset()));
-			else if (args.includes("--worker")) {
+			if (args.includes("--async")) {
+				const ctxArg = args.find((a) => a.startsWith("--ctx="));
+				let ctxBase64;
+				if (ctxArg) ctxBase64 = ctxArg.slice(6);
+				else {
+					const fetched = await fetchCtxViaInnerApi({
+						populate: planCtxPopulate({ command: "reset" }),
+						caller,
+						traceId
+					});
+					ctxBase64 = Buffer.from(JSON.stringify(fetched), "utf-8").toString("base64");
+				}
+				console.log(JSON.stringify(startAsyncReset(ctxBase64)));
+			} else if (args.includes("--worker")) {
 				const taskId = args.find((a) => a.startsWith("--task-id="))?.slice(10);
 				if (!taskId) {
 					console.error("Error: --task-id=<id> is required for worker");
 					node_process.default.exit(1);
 				}
 				const resultFile = resetResultFile(taskId);
-				const raw = await fetchCtxViaInnerApi({
+				const raw = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
 					populate: planCtxPopulate({ command: "reset" }),
 					caller,
 					traceId
@@ -11090,7 +11592,7 @@ async function main() {
 					return;
 				}
 			} else {
-				console.error("Usage: reset --async | reset --worker --task-id=<id>");
+				console.error("Usage: reset --async [--ctx=<base64>] | reset --worker --task-id=<id> [--ctx=<base64>]");
 				node_process.default.exit(1);
 			}
 			break;
@@ -11106,14 +11608,14 @@ async function main() {
 		case "install-openclaw": {
 			const tag = getPositionalTag(args, "install-openclaw");
 			if (!tag) {
-				console.error("Usage: install-openclaw <tag> [--oss_file_map=<base64>]");
+				console.error("Usage: install-openclaw <tag> [--ctx=<base64> | --oss_file_map=<base64>]");
 				node_process.default.exit(1);
 			}
 			const ossFileMapFlag = getFlag(args, "oss_file_map");
 			let installOssFileMap;
 			let rawForTelemetry;
 			if (!ossFileMapFlag) {
-				rawForTelemetry = await fetchCtxViaInnerApi({
+				rawForTelemetry = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
 					populate: planCtxPopulate({ command: "install" }),
 					caller,
 					traceId
@@ -11148,7 +11650,7 @@ async function main() {
 		case "install-extension": {
 			const tag = getPositionalTag(args, "install-extension");
 			if (!tag) {
-				console.error("Usage: install-extension <tag> (--all | --extension=<name>...) [--home_base=<dir>] [--config_path=<path>] [--skip-config-update] [--oss_file_map=<base64>]");
+				console.error("Usage: install-extension <tag> (--all | --extension=<name>...) [--home_base=<dir>] [--config_path=<path>] [--skip-config-update] [--ctx=<base64> | --oss_file_map=<base64>]");
 				node_process.default.exit(1);
 			}
 			const all = args.includes("--all");
@@ -11160,7 +11662,7 @@ async function main() {
 			let installOssFileMap;
 			let rawForTelemetry;
 			if (!ossFileMapFlag) {
-				rawForTelemetry = await fetchCtxViaInnerApi({
+				rawForTelemetry = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
 					populate: planCtxPopulate({ command: "install" }),
 					caller,
 					traceId
@@ -11206,12 +11708,12 @@ async function main() {
 		case "install-cli": {
 			const tag = getPositionalTag(args, "install-cli");
 			if (!tag) {
-				console.error("Usage: install-cli <tag> --cli=<name>... [--home_base=<dir>] [--oss_file_map=<base64>]");
+				console.error("Usage: install-cli <tag> --cli=<name>... [--home_base=<dir>] [--ctx=<base64> | --oss_file_map=<base64>]");
 				node_process.default.exit(1);
 			}
 			const names = getMultiFlag(args, "cli");
 			if (names.length === 0) {
-				console.error("Usage: install-cli <tag> --cli=<name>... [--home_base=<dir>] [--oss_file_map=<base64>]");
+				console.error("Usage: install-cli <tag> --cli=<name>... [--home_base=<dir>] [--ctx=<base64> | --oss_file_map=<base64>]");
 				node_process.default.exit(1);
 			}
 			const homeBase = getFlag(args, "home_base");
@@ -11219,7 +11721,7 @@ async function main() {
 			let installOssFileMap;
 			let rawForTelemetry;
 			if (!ossFileMapFlag) {
-				rawForTelemetry = await fetchCtxViaInnerApi({
+				rawForTelemetry = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
 					populate: planCtxPopulate({ command: "install" }),
 					caller,
 					traceId
@@ -11267,7 +11769,7 @@ async function main() {
 		case "download-resource": {
 			const tag = getPositionalTag(args, "download-resource");
 			if (!tag) {
-				console.error("Usage: download-resource <tag> --role=<role> --name=<name> [--dir=<dir>] [--oss_file_map=<base64>]");
+				console.error("Usage: download-resource <tag> --role=<role> --name=<name> [--dir=<dir>] [--ctx=<base64> | --oss_file_map=<base64>]");
 				node_process.default.exit(1);
 			}
 			const role = getFlag(args, "role");
@@ -11281,7 +11783,7 @@ async function main() {
 			let installOssFileMap;
 			let rawForTelemetry;
 			if (!ossFileMapFlag) {
-				rawForTelemetry = await fetchCtxViaInnerApi({
+				rawForTelemetry = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
 					populate: planCtxPopulate({ command: "install" }),
 					caller,
 					traceId
@@ -11355,6 +11857,50 @@ async function main() {
 			if (!result.ok) node_process.default.exit(1);
 			break;
 		}
+		case "upgrade-lark": {
+			const result = runUpgradeLark({
+				runId: rc.runId,
+				scene
+			});
+			const upgradeDurationMs = Date.now() - t0;
+			console.log(JSON.stringify(result));
+			reportUpgradeLarkToSlardar({
+				scene,
+				durationMs: upgradeDurationMs,
+				success: result.ok,
+				logFile: result.logFile,
+				exitCode: result.exitCode,
+				rollbackOk: result.rollbackOk,
+				validationError: result.validationError,
+				error: result.error
+			});
+			try {
+				await reportCliRun({
+					command: "upgrade-lark",
+					runId: rc.runId,
+					version: getVersion(),
+					invocation: args.join(" "),
+					durationMs: upgradeDurationMs,
+					caller: rc.caller,
+					traceId: rc.traceId,
+					success: result.ok,
+					result,
+					error: result.ok ? void 0 : { message: result.error ?? "upgrade-lark failed" }
+				});
+			} catch (e) {
+				console.error(`[telemetry] reportCliRun failed: ${e.message}`);
+			}
+			if (!result.ok) {
+				node_process.default.exitCode = 1;
+				return;
+			}
+			break;
+		}
+		case "channels-probe": {
+			const result = runChannelsProbe(getFlag(args, "timeout") ? Number(getFlag(args, "timeout")) : void 0);
+			console.log(JSON.stringify(result));
+			break;
+		}
 		default:
 			node_process.default.stderr.write(`Unknown command: ${mode}\n\n`);
 			node_process.default.stderr.write(formatTopLevelHelp(helpFlags.expert));

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lark-apaas/openclaw-scripts-diagnose-cli",
-  "version": "0.1.14-alpha.11",
+  "version": "0.1.14-alpha.12",
   "description": "CLI for OpenClaw config diagnose and repair with JSON5 support",
   "main": "dist/index.cjs",
   "bin": {