npm - @lark-apaas/openclaw-scripts-diagnose-cli - Versions diffs - 0.1.14-alpha.11 → 0.1.14-alpha.13 - Mend

@lark-apaas/openclaw-scripts-diagnose-cli 0.1.14-alpha.11 → 0.1.14-alpha.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.cjs +902 -987
package/package.json +1 -1

package/dist/index.cjs CHANGED Viewed

@@ -52,7 +52,7 @@ node_assert = __toESM(node_assert);
 * it terse and parseable.
 */
 function getVersion() {
-	return "0.1.14-alpha.11";
+	return "0.1.14-alpha.13";
 }
 //#endregion
 //#region src/rule-engine/base.ts
@@ -2520,255 +2520,586 @@ function upsertResourceConstrainedToolsBlock(content) {
 	return `${content}${content.length > 0 && !content.endsWith("\n") ? "\n\n" : "\n"}${RESOURCE_CONSTRAINED_TOOLS_BLOCK}\n`;
 }
 //#endregion
-//#region src/rules/miaoda-official-plugins-install-spec-unlock.ts
+//#region src/paths.ts
 /**
-* Official miaoda-side plugins that must track manifest — version-locked specs
-* here block upgrades. Third-party / user-installed plugins are intentionally
-* out of scope (users may pin them deliberately).
+* Central directory for all ephemeral diagnose/reset artifacts: task status
+* files (`reset-<taskId>.json`) and human-readable step logs
+* (`reset-<taskId>.log`). Having everything under one dir makes debugging a
+* stuck reset much easier — `ls /tmp/openclaw-diagnose/` shows every recent
+* run, and each run's log is right next to its state.
 */
-const OFFICIAL_PLUGIN_NAMES = new Set([
-	"openclaw-extension-miaoda",
-	"openclaw-extension-miaoda-coding",
-	"openclaw-guardian-plugin",
-	"openclaw-mem0-plugin",
-	"openclaw-lark"
-]);
-const LOCKED_NPM_SPEC = /^(@[a-z0-9][\w.-]*\/)?[a-z0-9][\w.-]*@[^@/:#\s]+$/i;
-function isLockedNpmSpec(spec) {
-	return typeof spec === "string" && LOCKED_NPM_SPEC.test(spec);
-}
-function unlockSpec(spec) {
-	const slash = spec.indexOf("/");
-	const cut = slash === -1 ? spec.indexOf("@") : spec.indexOf("@", slash + 1);
-	return spec.slice(0, cut);
+const DIAGNOSE_DIR = "/tmp/openclaw-diagnose";
+function resetResultFile(taskId) {
+	return `${DIAGNOSE_DIR}/reset-${taskId}.json`;
 }
-/** Yield `[key, lockedSpec]` for every official-plugin install whose `spec` is locked. */
-function* iterLockedOfficialInstalls(config) {
-	const installs = getNestedMap(config, "plugins", "installs");
-	if (!installs) return;
-	for (const [key, entry] of Object.entries(installs)) {
-		if (!OFFICIAL_PLUGIN_NAMES.has(key)) continue;
-		const spec = asRecord(entry)?.spec;
-		if (isLockedNpmSpec(spec)) yield [key, spec];
-	}
+function resetLogFile(taskId) {
+	return `${DIAGNOSE_DIR}/reset-${taskId}.log`;
 }
-let MiaodaOfficialPluginsInstallSpecUnlockRule = class MiaodaOfficialPluginsInstallSpecUnlockRule extends DiagnoseRule {
-	validate(ctx) {
-		const locked = [...iterLockedOfficialInstalls(ctx.config)].map(([k]) => k);
-		if (locked.length === 0) return { pass: true };
-		return {
-			pass: false,
-			message: "plugins.installs 中官方插件存在锁版本的 spec: " + locked.sort().join(",")
-		};
-	}
-	repair(ctx) {
-		for (const [key, spec] of iterLockedOfficialInstalls(ctx.config)) setNestedValue(ctx.config, [
-			"plugins",
-			"installs",
-			key,
-			"spec"
-		], unlockSpec(spec));
-	}
-};
-MiaodaOfficialPluginsInstallSpecUnlockRule = __decorate([Rule({
-	key: "miaoda_official_plugins_install_spec_unlock",
-	description: "移除官方妙搭插件安装条目中的锁版本 npm spec，使其跟随最新 manifest 版本",
-	dependsOn: ["config_syntax_check"],
-	repairMode: "standard",
-	level: "silent"
-})], MiaodaOfficialPluginsInstallSpecUnlockRule);
+/** Sandbox workspace root where openclaw config + agent state lives. */
+const WORKSPACE_DIR = "/home/gem/workspace/agent";
+/** File containing the provider key used by the openclaw miaoda provider. */
+const PROVIDER_FILE_PATH = "/home/gem/workspace/.force/openclaw/miaoda-provider-key";
+/** File containing the miaoda openclaw secrets JSON. */
+const SECRETS_FILE_PATH = "/home/gem/workspace/.force/openclaw/miaoda-openclaw-secrets.json";
+/** Absolute path to the openclaw config JSON. */
+const CONFIG_PATH = `${WORKSPACE_DIR}/openclaw.json`;
 //#endregion
-//#region src/rules/miaoda-plugin-allow.ts
-const MIAODA_PLUGIN = "openclaw-extension-miaoda";
-let MiaodaPluginAllowRule = class MiaodaPluginAllowRule extends DiagnoseRule {
-	validate(ctx) {
-		if (!isPluginInstalledOnDisk(getExtensionsDir(ctx.configPath), MIAODA_PLUGIN)) return { pass: true };
-		if (getAllow$1(ctx.config).includes(MIAODA_PLUGIN)) return { pass: true };
-		return {
-			pass: false,
-			message: `plugins.allow 缺少 ${MIAODA_PLUGIN}（已在 extensions/ 下装但未启用）`
-		};
-	}
-	repair(ctx) {
-		if (!isPluginInstalledOnDisk(getExtensionsDir(ctx.configPath), MIAODA_PLUGIN)) return;
-		const plugins = ctx.config.plugins;
-		if (plugins == null || typeof plugins !== "object" || Array.isArray(plugins)) {
-			ctx.config.plugins = { allow: [MIAODA_PLUGIN] };
-			return;
+//#region src/lark-cli-init.ts
+const LARK_PLUGIN_NAMES$1 = ["openclaw-lark", "feishu-openclaw-plugin"];
+const PE_XML_TAG = "lark-cli-pe";
+const PE_PLACEHOLDER = `
+<${PE_XML_TAG}>
+**【强制要求 - 无例外】飞书所有操作必须先读 feishu-lark-cli skill。未读skill不得调用任何飞书工具，违者视为操作失误。**
+</${PE_XML_TAG}>
+`;
+function isLarkPluginInstalled(configPath) {
+	const extDir = getExtensionsDir(configPath);
+	return LARK_PLUGIN_NAMES$1.some((name) => {
+		try {
+			return node_fs.default.existsSync(node_path.default.join(extDir, name, "package.json"));
+		} catch {
+			return false;
 		}
-		const pluginsMap = plugins;
-		const rawAllow = pluginsMap.allow;
-		const allow = Array.isArray(rawAllow) ? rawAllow : [];
-		if (allow.includes(MIAODA_PLUGIN)) return;
-		allow.push(MIAODA_PLUGIN);
-		pluginsMap.allow = allow;
-	}
-};
-MiaodaPluginAllowRule = __decorate([Rule({
-	key: "miaoda_plugin_allow",
-	description: "当 openclaw-extension-miaoda 已在磁盘安装但未在 allow 列表中时，将其添加到 plugins.allow（实验性）",
-	dependsOn: ["config_syntax_check"],
-	repairMode: "standard",
-	level: "critical",
-	profile: "standard"
-})], MiaodaPluginAllowRule);
-function getAllow$1(config) {
-	const plugins = config.plugins;
-	if (plugins == null || typeof plugins !== "object" || Array.isArray(plugins)) return [];
-	const allow = plugins.allow;
-	if (!Array.isArray(allow)) return [];
-	return allow.filter((e) => typeof e === "string");
+	});
 }
-//#endregion
-//#region src/rules/lark-plugin-allow.ts
-const LARK_PLUGIN = "openclaw-lark";
-const LEGACY_LARK_PLUGIN = "feishu-openclaw-plugin";
-const LARK_PLUGIN_NAMES$1 = [LARK_PLUGIN, LEGACY_LARK_PLUGIN];
-let LarkPluginAllowRule = class LarkPluginAllowRule extends DiagnoseRule {
-	validate(ctx) {
-		const allow = getAllow(ctx.config);
-		if (LARK_PLUGIN_NAMES$1.some((name) => allow.includes(name))) return { pass: true };
-		const installed = detectInstalledLarkPlugin(getExtensionsDir(ctx.configPath));
-		if (installed == null) return { pass: true };
-		return {
-			pass: false,
-			message: `plugins.allow 缺少飞书插件 ${installed}（已在 extensions/ 下装但未启用）`
-		};
+function isLarkCliAvailable$2() {
+	try {
+		return (0, node_child_process.spawnSync)("lark-cli", ["--version"], {
+			encoding: "utf-8",
+			timeout: 5e3,
+			stdio: [
+				"ignore",
+				"pipe",
+				"ignore"
+			]
+		}).status === 0;
+	} catch {
+		return false;
 	}
-	repair(ctx) {
-		const installed = detectInstalledLarkPlugin(getExtensionsDir(ctx.configPath));
-		if (installed == null) return;
-		if (ctx.config.plugins == null || typeof ctx.config.plugins !== "object" || Array.isArray(ctx.config.plugins)) {
-			ctx.config.plugins = { allow: [installed] };
-			return;
-		}
-		const pluginsMap = ctx.config.plugins;
-		const rawAllow = pluginsMap.allow;
-		const original = Array.isArray(rawAllow) ? rawAllow : [];
-		const stringAllow = original.filter((e) => typeof e === "string");
-		if (LARK_PLUGIN_NAMES$1.some((name) => stringAllow.includes(name))) return;
-		original.push(installed);
-		pluginsMap.allow = original;
+}
+function readConfig(configPath) {
+	try {
+		const raw = node_fs.default.readFileSync(configPath, "utf-8");
+		const parsed = loadJSON5().parse(raw);
+		return parsed != null && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+	} catch {
+		return null;
 	}
-};
-LarkPluginAllowRule = __decorate([Rule({
-	key: "lark_plugin_allow",
-	description: "当飞书插件（openclaw-lark 或旧版名）已在磁盘安装但未加入 plugins.allow 时，自动添加",
-	dependsOn: ["config_syntax_check"],
-	repairMode: "standard",
-	level: "critical"
-})], LarkPluginAllowRule);
-function getAllow(config) {
-	const plugins = config.plugins;
-	if (plugins == null || typeof plugins !== "object" || Array.isArray(plugins)) return [];
-	const allow = plugins.allow;
-	if (!Array.isArray(allow)) return [];
-	return allow.filter((e) => typeof e === "string");
 }
 /**
-* fs-only 检测：`<extDir>/<name>/package.json` 存在即视为已装。
-* 优先级 openclaw-lark（新版）> feishu-openclaw-plugin（legacy）。
-* 不读 package.json 内容，只判存在性，避开 JSON 损坏。
+* Resolve the feishu app secret for the given appId.
+*
+* Lookup order:
+*   1. channels.feishu.appSecret  (single-agent: feishu.appId === appId)
+*   2. channels.feishu.accounts[key].appSecret  (multi-agent: account.appId === appId)
+*
+* Value interpretation:
+*   - string  → use directly
+*   - object  → secret is managed by a provider; use `feishuAppSecret` param instead
+*
+* Returns null when the secret cannot be determined.
 */
-function detectInstalledLarkPlugin(extDir) {
-	for (const name of [LARK_PLUGIN, LEGACY_LARK_PLUGIN]) if (pluginPackageJsonExists(extDir, name)) return name;
+function resolveAppSecret(appId, config, feishuAppSecret) {
+	const feishu = getNestedMap(config, "channels", "feishu");
+	if (!feishu) return null;
+	let rawSecret;
+	if (typeof feishu.appId === "string" && feishu.appId === appId) rawSecret = feishu.appSecret;
+	else {
+		const accounts = asRecord(feishu.accounts);
+		if (accounts) for (const [, val] of Object.entries(accounts)) {
+			const account = asRecord(val);
+			if (account?.appId === appId) {
+				rawSecret = account.appSecret ?? feishu.appSecret;
+				break;
+			}
+		}
+	}
+	if (typeof rawSecret === "string" && rawSecret) return rawSecret;
+	if (rawSecret != null && typeof rawSecret === "object") return feishuAppSecret ?? null;
 	return null;
 }
-function pluginPackageJsonExists(extDir, pluginDir) {
-	try {
-		return node_fs.default.existsSync(node_path.default.join(extDir, pluginDir, "package.json"));
-	} catch {
-		return false;
+/**
+* Resolve the agents.md path for the given appId from the openclaw config.
+*
+* Case 1: appId matches channels.feishu.appId (single-agent path)
+*   → WORKSPACE_DIR/AGENTS.md
+*
+* Case 2: appId found in channels.feishu.accounts (multi-agent path)
+*   → find account key where account.appId === appId
+*   → find binding where match.channel=feishu && match.accountId=that key
+*   → if agentId === 'main'  → WORKSPACE_DIR/agents.md
+*   → else find agent in agents.list by id → agent.workspace/agents.md
+*
+* Returns null when the path cannot be determined.
+*/
+function resolveAgentsMdPath(appId, config) {
+	const feishu = getNestedMap(config, "channels", "feishu");
+	if (!feishu) {
+		console.error("resolveAgentsMdPath: channels.feishu not found");
+		return null;
 	}
+	if (typeof feishu.appId === "string" && feishu.appId === appId) {
+		console.error(`resolveAgentsMdPath: case=single-agent feishu.appId=${feishu.appId}`);
+		return node_path.default.join(WORKSPACE_DIR, "workspace", "AGENTS.md");
+	}
+	const accounts = asRecord(feishu.accounts);
+	if (!accounts) {
+		console.error("resolveAgentsMdPath: feishu.accounts not found");
+		return null;
+	}
+	let accountId;
+	for (const [key, val] of Object.entries(accounts)) if (asRecord(val)?.appId === appId) {
+		accountId = key;
+		break;
+	}
+	if (!accountId) {
+		console.error(`resolveAgentsMdPath: no account found with appId=${appId} in feishu.accounts keys=[${Object.keys(accounts).join(",")}]`);
+		return null;
+	}
+	console.error(`resolveAgentsMdPath: found accountId=${accountId}`);
+	const bindings = Array.isArray(config.bindings) ? config.bindings : [];
+	let agentId;
+	for (const b of bindings) {
+		const binding = asRecord(b);
+		if (!binding) continue;
+		const match = asRecord(binding.match);
+		if (match?.channel === "feishu" && match?.accountId === accountId) {
+			if (typeof binding.agentId === "string") {
+				agentId = binding.agentId;
+				break;
+			}
+		}
+	}
+	if (!agentId) {
+		console.error(`resolveAgentsMdPath: no binding found for accountId=${accountId} in bindings(count=${bindings.length})`);
+		return null;
+	}
+	console.error(`resolveAgentsMdPath: found agentId=${agentId}`);
+	if (agentId === "main") {
+		console.error("resolveAgentsMdPath: case=multi-agent-main");
+		return node_path.default.join(WORKSPACE_DIR, "workspace", "AGENTS.md");
+	}
+	const agentsObj = asRecord(config.agents);
+	const list = Array.isArray(agentsObj?.list) ? agentsObj.list : [];
+	for (const a of list) {
+		const agent = asRecord(a);
+		if (agent?.id === agentId) {
+			const ws = typeof agent.workspace === "string" ? agent.workspace : node_path.default.join(WORKSPACE_DIR, "workspace");
+			console.error(`resolveAgentsMdPath: case=multi-agent-custom agentId=${agentId} workspace=${ws}`);
+			return node_path.default.join(ws, "AGENTS.md");
+		}
+	}
+	console.error(`resolveAgentsMdPath: agentId=${agentId} not found in agents.list(count=${list.length})`);
+	return null;
 }
-//#endregion
-//#region src/rules/old-miaoda-plugins-cleanup.ts
-const NEW_MIAODA = "openclaw-extension-miaoda";
-const OLD_PLUGIN_NAMES = Object.freeze([
-	"openclaw-feishu-greeting",
-	"openclaw-miaoda-keepalive",
-	"feishu-greeting",
-	"miaoda-keepalive"
-]);
-function getPluginMaps(config) {
-	const rawAllow = asRecord(config.plugins)?.allow;
-	return {
-		entries: getNestedMap(config, "plugins", "entries"),
-		installs: getNestedMap(config, "plugins", "installs"),
-		allow: Array.isArray(rawAllow) ? rawAllow : void 0
-	};
-}
-function hasNewMiaoda({ entries, installs, allow }) {
-	return asRecord(entries?.[NEW_MIAODA]) != null || asRecord(installs?.[NEW_MIAODA]) != null || (allow?.includes(NEW_MIAODA) ?? false);
+function appendPeToAgentsMd(agentsMdPath) {
+	const dir = node_path.default.dirname(agentsMdPath);
+	if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
+	const existing = node_fs.default.existsSync(agentsMdPath) ? node_fs.default.readFileSync(agentsMdPath, "utf-8") : "";
+	if (existing.includes(`<lark-cli-pe>`)) {
+		console.error(`lark-cli-init: <${PE_XML_TAG}> already present in ${agentsMdPath}, skipping`);
+		return;
+	}
+	const sep = existing.length > 0 && !existing.endsWith("\n") ? "\n" : "";
+	node_fs.default.appendFileSync(agentsMdPath, `${sep}${PE_PLACEHOLDER}`, "utf-8");
+	console.error(`lark-cli-init: appended PE placeholder to ${agentsMdPath}`);
 }
-function findResiduals({ entries, installs, allow }, extensionsDir) {
-	return OLD_PLUGIN_NAMES.filter((name) => entries?.[name] != null || installs?.[name] != null || (allow?.includes(name) ?? false) || node_fs.default.existsSync(node_path.default.join(extensionsDir, name)));
+/**
+* Collect every Feishu bot appId declared in the openclaw config.
+* Covers both single-agent (channels.feishu.appId) and multi-agent
+* (channels.feishu.accounts[*].appId) layouts. Returns a deduplicated list.
+*/
+function collectFeishuAppIds(configPath) {
+	const config = readConfig(configPath ?? CONFIG_PATH);
+	if (!config) return [];
+	const feishu = getNestedMap(config, "channels", "feishu");
+	if (!feishu) return [];
+	const appIds = /* @__PURE__ */ new Set();
+	const topAppId = feishu.appId;
+	if (typeof topAppId === "string" && topAppId.trim()) appIds.add(topAppId.trim());
+	const accounts = asRecord(feishu.accounts);
+	if (accounts) for (const val of Object.values(accounts)) {
+		const appId = asRecord(val)?.appId;
+		if (typeof appId === "string" && appId.trim()) appIds.add(appId.trim());
+	}
+	return [...appIds];
 }
-let OldMiaodaPluginsCleanupRule = class OldMiaodaPluginsCleanupRule extends DiagnoseRule {
+function runLarkCliInit(opts) {
+	const configPath = opts.configPath ?? CONFIG_PATH;
+	if (!isLarkPluginInstalled(configPath)) {
+		console.error("lark-cli-init: skipping — openclaw-lark plugin not installed");
+		return {
+			ok: true,
+			skipped: true,
+			skipReason: "openclaw-lark plugin not installed"
+		};
+	}
+	if (!isLarkCliAvailable$2()) {
+		console.error("lark-cli-init: skipping — lark-cli command not found");
+		return {
+			ok: true,
+			skipped: true,
+			skipReason: "lark-cli command not found"
+		};
+	}
+	const config = readConfig(configPath);
+	if (!config) return {
+		ok: false,
+		error: `could not read config at ${configPath}`
+	};
+	const agentsMdPath = resolveAgentsMdPath(opts.appId, config);
+	console.error(`lark-cli-init: resolved agents.md path=${agentsMdPath ?? "(null)"}`);
+	if (!agentsMdPath) return {
+		ok: false,
+		error: `could not resolve agents.md path for appId=${opts.appId}`
+	};
+	const appSecret = resolveAppSecret(opts.appId, config, opts.feishuAppSecret);
+	if (!appSecret) return {
+		ok: false,
+		error: `could not resolve appSecret for appId=${opts.appId}`
+	};
+	console.error(`lark-cli-init: running lark-cli config init --name ${opts.appId} --app-id ${opts.appId} --brand feishu --app-secret-stdin --force-init`);
+	const initRes = (0, node_child_process.spawnSync)("lark-cli", [
+		"config",
+		"init",
+		"--name",
+		opts.appId,
+		"--app-id",
+		opts.appId,
+		"--brand",
+		"feishu",
+		"--app-secret-stdin",
+		"--force-init"
+	], {
+		stdio: [
+			"pipe",
+			"pipe",
+			"pipe"
+		],
+		encoding: "utf-8",
+		input: appSecret
+	});
+	const configInitStdout = initRes.stdout?.trim() || void 0;
+	const configInitStderr = initRes.stderr?.trim() || void 0;
+	if (configInitStdout) console.error(`lark-cli config init stdout: ${configInitStdout}`);
+	if (configInitStderr) console.error(`lark-cli config init stderr: ${configInitStderr}`);
+	if (initRes.error) return {
+		ok: false,
+		configInitStdout,
+		configInitStderr,
+		error: `lark-cli config init spawn error: ${initRes.error.message}`
+	};
+	if (initRes.status !== 0) return {
+		ok: false,
+		configInitExitCode: initRes.status ?? void 0,
+		configInitStdout,
+		configInitStderr,
+		error: `lark-cli config init exited with code ${initRes.status}`
+	};
+	appendPeToAgentsMd(agentsMdPath);
+	return {
+		ok: true,
+		configInitExitCode: 0,
+		agentsMdPath
+	};
+}
+//#endregion
+//#region src/rules/agents-md-lark-cli-pe.ts
+function isLarkCliAvailable$1() {
+	try {
+		return (0, node_child_process.spawnSync)("lark-cli", ["--version"], {
+			encoding: "utf-8",
+			timeout: 5e3,
+			stdio: [
+				"ignore",
+				"pipe",
+				"ignore"
+			]
+		}).status === 0;
+	} catch {
+		return false;
+	}
+}
+let AgentsMdLarkCliPeRule = class AgentsMdLarkCliPeRule extends DiagnoseRule {
 	validate(ctx) {
-		const maps = getPluginMaps(ctx.config);
-		if (!hasNewMiaoda(maps)) return { pass: true };
-		const residuals = findResiduals(maps, getExtensionsDir(ctx.configPath));
-		if (residuals.length === 0) return { pass: true };
+		if (!isLarkCliAvailable$1()) return { pass: true };
+		const missingPath = collectExistingAgentsMdPaths(ctx).find((filePath) => {
+			return !node_fs.default.readFileSync(filePath, "utf-8").includes(`<${PE_XML_TAG}>`);
+		});
+		if (!missingPath) return { pass: true };
 		return {
 			pass: false,
-			message: "旧 miaoda 插件残留: " + residuals.sort().join(",")
+			message: `${missingPath} 中缺少 lark-cli-pe PE 内容，需要追加`
 		};
 	}
 	repair(ctx) {
-		const maps = getPluginMaps(ctx.config);
-		if (!hasNewMiaoda(maps)) return;
-		const extensionsDir = getExtensionsDir(ctx.configPath);
-		const { entries, installs, allow } = maps;
-		const oldSet = new Set(OLD_PLUGIN_NAMES);
-		if (allow) for (let i = allow.length - 1; i >= 0; i--) {
-			const v = allow[i];
-			if (typeof v === "string" && oldSet.has(v)) allow.splice(i, 1);
-		}
-		for (const name of OLD_PLUGIN_NAMES) {
-			if (entries && name in entries) delete entries[name];
-			if (installs && name in installs) delete installs[name];
-			const target = node_path.default.join(extensionsDir, name);
-			const rel = node_path.default.relative(extensionsDir, target);
-			if (!rel || rel.startsWith("..") || node_path.default.isAbsolute(rel)) continue;
-			try {
-				node_fs.default.rmSync(target, {
-					recursive: true,
-					force: true
-				});
-			} catch (e) {
-				console.error(`[old_miaoda_plugins_cleanup] rmSync ${target} failed: ${e.message}`);
-			}
+		if (!isLarkCliAvailable$1()) return;
+		for (const filePath of collectExistingAgentsMdPaths(ctx)) {
+			const content = node_fs.default.readFileSync(filePath, "utf-8");
+			if (content.includes(`<lark-cli-pe>`)) continue;
+			const sep = content.length > 0 && !content.endsWith("\n") ? "\n" : "";
+			node_fs.default.appendFileSync(filePath, `${sep}${PE_PLACEHOLDER}`, "utf-8");
+			console.error(`agents-md-lark-cli-pe: appended PE to ${filePath}`);
 		}
 	}
 };
-OldMiaodaPluginsCleanupRule = __decorate([Rule({
-	key: "old_miaoda_plugins_cleanup",
-	description: "当新版 openclaw-extension-miaoda 已存在时，清理过时插件引用（openclaw-feishu-greeting、openclaw-miaoda-keepalive 等）",
+AgentsMdLarkCliPeRule = __decorate([Rule({
+	key: "agents_md_lark_cli_pe",
+	description: "检测各智能体 AGENTS.md 中是否缺失 lark-cli-pe PE 内容，lark-cli 存在时自动追加",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
 	level: "silent"
-})], OldMiaodaPluginsCleanupRule);
+})], AgentsMdLarkCliPeRule);
 //#endregion
-//#region src/rules/builtin-plugin-missing.ts
+//#region src/rules/miaoda-official-plugins-install-spec-unlock.ts
 /**
-* install-extension --all 安装的内置扩展插件列表（manifest role=extension）。
-* 与 miaoda-official-plugins-install-spec-unlock.ts 中的 OFFICIAL_PLUGIN_NAMES 保持一致。
+* Official miaoda-side plugins that must track manifest — version-locked specs
+* here block upgrades. Third-party / user-installed plugins are intentionally
+* out of scope (users may pin them deliberately).
 */
-const BUILTIN_EXTENSION_PLUGINS = new Set([
-	"openclaw-lark",
+const OFFICIAL_PLUGIN_NAMES = new Set([
 	"openclaw-extension-miaoda",
 	"openclaw-extension-miaoda-coding",
 	"openclaw-guardian-plugin",
-	"openclaw-mem0-plugin"
+	"openclaw-mem0-plugin",
+	"openclaw-lark"
 ]);
-function findMissingBuiltinPlugins(ctx) {
-	const extDir = getExtensionsDir(ctx.configPath);
-	return [...BUILTIN_EXTENSION_PLUGINS].filter((name) => !isPluginInstalledOnDisk(extDir, name)).sort();
+const LOCKED_NPM_SPEC = /^(@[a-z0-9][\w.-]*\/)?[a-z0-9][\w.-]*@[^@/:#\s]+$/i;
+function isLockedNpmSpec(spec) {
+	return typeof spec === "string" && LOCKED_NPM_SPEC.test(spec);
 }
-let BuiltinPluginMissingRule = class BuiltinPluginMissingRule extends DiagnoseRule {
+function unlockSpec(spec) {
+	const slash = spec.indexOf("/");
+	const cut = slash === -1 ? spec.indexOf("@") : spec.indexOf("@", slash + 1);
+	return spec.slice(0, cut);
+}
+/** Yield `[key, lockedSpec]` for every official-plugin install whose `spec` is locked. */
+function* iterLockedOfficialInstalls(config) {
+	const installs = getNestedMap(config, "plugins", "installs");
+	if (!installs) return;
+	for (const [key, entry] of Object.entries(installs)) {
+		if (!OFFICIAL_PLUGIN_NAMES.has(key)) continue;
+		const spec = asRecord(entry)?.spec;
+		if (isLockedNpmSpec(spec)) yield [key, spec];
+	}
+}
+let MiaodaOfficialPluginsInstallSpecUnlockRule = class MiaodaOfficialPluginsInstallSpecUnlockRule extends DiagnoseRule {
 	validate(ctx) {
-		const missing = findMissingBuiltinPlugins(ctx);
+		const locked = [...iterLockedOfficialInstalls(ctx.config)].map(([k]) => k);
+		if (locked.length === 0) return { pass: true };
+		return {
+			pass: false,
+			message: "plugins.installs 中官方插件存在锁版本的 spec: " + locked.sort().join(",")
+		};
+	}
+	repair(ctx) {
+		for (const [key, spec] of iterLockedOfficialInstalls(ctx.config)) setNestedValue(ctx.config, [
+			"plugins",
+			"installs",
+			key,
+			"spec"
+		], unlockSpec(spec));
+	}
+};
+MiaodaOfficialPluginsInstallSpecUnlockRule = __decorate([Rule({
+	key: "miaoda_official_plugins_install_spec_unlock",
+	description: "移除官方妙搭插件安装条目中的锁版本 npm spec，使其跟随最新 manifest 版本",
+	dependsOn: ["config_syntax_check"],
+	repairMode: "standard",
+	level: "silent"
+})], MiaodaOfficialPluginsInstallSpecUnlockRule);
+//#endregion
+//#region src/rules/miaoda-plugin-allow.ts
+const MIAODA_PLUGIN = "openclaw-extension-miaoda";
+let MiaodaPluginAllowRule = class MiaodaPluginAllowRule extends DiagnoseRule {
+	validate(ctx) {
+		if (!isPluginInstalledOnDisk(getExtensionsDir(ctx.configPath), MIAODA_PLUGIN)) return { pass: true };
+		if (getAllow$1(ctx.config).includes(MIAODA_PLUGIN)) return { pass: true };
+		return {
+			pass: false,
+			message: `plugins.allow 缺少 ${MIAODA_PLUGIN}（已在 extensions/ 下装但未启用）`
+		};
+	}
+	repair(ctx) {
+		if (!isPluginInstalledOnDisk(getExtensionsDir(ctx.configPath), MIAODA_PLUGIN)) return;
+		const plugins = ctx.config.plugins;
+		if (plugins == null || typeof plugins !== "object" || Array.isArray(plugins)) {
+			ctx.config.plugins = { allow: [MIAODA_PLUGIN] };
+			return;
+		}
+		const pluginsMap = plugins;
+		const rawAllow = pluginsMap.allow;
+		const allow = Array.isArray(rawAllow) ? rawAllow : [];
+		if (allow.includes(MIAODA_PLUGIN)) return;
+		allow.push(MIAODA_PLUGIN);
+		pluginsMap.allow = allow;
+	}
+};
+MiaodaPluginAllowRule = __decorate([Rule({
+	key: "miaoda_plugin_allow",
+	description: "当 openclaw-extension-miaoda 已在磁盘安装但未在 allow 列表中时，将其添加到 plugins.allow（实验性）",
+	dependsOn: ["config_syntax_check"],
+	repairMode: "standard",
+	level: "critical",
+	profile: "standard"
+})], MiaodaPluginAllowRule);
+function getAllow$1(config) {
+	const plugins = config.plugins;
+	if (plugins == null || typeof plugins !== "object" || Array.isArray(plugins)) return [];
+	const allow = plugins.allow;
+	if (!Array.isArray(allow)) return [];
+	return allow.filter((e) => typeof e === "string");
+}
+//#endregion
+//#region src/rules/lark-plugin-allow.ts
+const LARK_PLUGIN = "openclaw-lark";
+const LEGACY_LARK_PLUGIN = "feishu-openclaw-plugin";
+const LARK_PLUGIN_NAMES = [LARK_PLUGIN, LEGACY_LARK_PLUGIN];
+let LarkPluginAllowRule = class LarkPluginAllowRule extends DiagnoseRule {
+	validate(ctx) {
+		const allow = getAllow(ctx.config);
+		if (LARK_PLUGIN_NAMES.some((name) => allow.includes(name))) return { pass: true };
+		const installed = detectInstalledLarkPlugin(getExtensionsDir(ctx.configPath));
+		if (installed == null) return { pass: true };
+		return {
+			pass: false,
+			message: `plugins.allow 缺少飞书插件 ${installed}（已在 extensions/ 下装但未启用）`
+		};
+	}
+	repair(ctx) {
+		const installed = detectInstalledLarkPlugin(getExtensionsDir(ctx.configPath));
+		if (installed == null) return;
+		if (ctx.config.plugins == null || typeof ctx.config.plugins !== "object" || Array.isArray(ctx.config.plugins)) {
+			ctx.config.plugins = { allow: [installed] };
+			return;
+		}
+		const pluginsMap = ctx.config.plugins;
+		const rawAllow = pluginsMap.allow;
+		const original = Array.isArray(rawAllow) ? rawAllow : [];
+		const stringAllow = original.filter((e) => typeof e === "string");
+		if (LARK_PLUGIN_NAMES.some((name) => stringAllow.includes(name))) return;
+		original.push(installed);
+		pluginsMap.allow = original;
+	}
+};
+LarkPluginAllowRule = __decorate([Rule({
+	key: "lark_plugin_allow",
+	description: "当飞书插件（openclaw-lark 或旧版名）已在磁盘安装但未加入 plugins.allow 时，自动添加",
+	dependsOn: ["config_syntax_check"],
+	repairMode: "standard",
+	level: "critical"
+})], LarkPluginAllowRule);
+function getAllow(config) {
+	const plugins = config.plugins;
+	if (plugins == null || typeof plugins !== "object" || Array.isArray(plugins)) return [];
+	const allow = plugins.allow;
+	if (!Array.isArray(allow)) return [];
+	return allow.filter((e) => typeof e === "string");
+}
+/**
+* fs-only 检测：`<extDir>/<name>/package.json` 存在即视为已装。
+* 优先级 openclaw-lark（新版）> feishu-openclaw-plugin（legacy）。
+* 不读 package.json 内容，只判存在性，避开 JSON 损坏。
+*/
+function detectInstalledLarkPlugin(extDir) {
+	for (const name of [LARK_PLUGIN, LEGACY_LARK_PLUGIN]) if (pluginPackageJsonExists(extDir, name)) return name;
+	return null;
+}
+function pluginPackageJsonExists(extDir, pluginDir) {
+	try {
+		return node_fs.default.existsSync(node_path.default.join(extDir, pluginDir, "package.json"));
+	} catch {
+		return false;
+	}
+}
+//#endregion
+//#region src/rules/old-miaoda-plugins-cleanup.ts
+const NEW_MIAODA = "openclaw-extension-miaoda";
+const OLD_PLUGIN_NAMES = Object.freeze([
+	"openclaw-feishu-greeting",
+	"openclaw-miaoda-keepalive",
+	"feishu-greeting",
+	"miaoda-keepalive"
+]);
+function getPluginMaps(config) {
+	const rawAllow = asRecord(config.plugins)?.allow;
+	return {
+		entries: getNestedMap(config, "plugins", "entries"),
+		installs: getNestedMap(config, "plugins", "installs"),
+		allow: Array.isArray(rawAllow) ? rawAllow : void 0
+	};
+}
+function hasNewMiaoda({ entries, installs, allow }) {
+	return asRecord(entries?.[NEW_MIAODA]) != null || asRecord(installs?.[NEW_MIAODA]) != null || (allow?.includes(NEW_MIAODA) ?? false);
+}
+function findResiduals({ entries, installs, allow }, extensionsDir) {
+	return OLD_PLUGIN_NAMES.filter((name) => entries?.[name] != null || installs?.[name] != null || (allow?.includes(name) ?? false) || node_fs.default.existsSync(node_path.default.join(extensionsDir, name)));
+}
+let OldMiaodaPluginsCleanupRule = class OldMiaodaPluginsCleanupRule extends DiagnoseRule {
+	validate(ctx) {
+		const maps = getPluginMaps(ctx.config);
+		if (!hasNewMiaoda(maps)) return { pass: true };
+		const residuals = findResiduals(maps, getExtensionsDir(ctx.configPath));
+		if (residuals.length === 0) return { pass: true };
+		return {
+			pass: false,
+			message: "旧 miaoda 插件残留: " + residuals.sort().join(",")
+		};
+	}
+	repair(ctx) {
+		const maps = getPluginMaps(ctx.config);
+		if (!hasNewMiaoda(maps)) return;
+		const extensionsDir = getExtensionsDir(ctx.configPath);
+		const { entries, installs, allow } = maps;
+		const oldSet = new Set(OLD_PLUGIN_NAMES);
+		if (allow) for (let i = allow.length - 1; i >= 0; i--) {
+			const v = allow[i];
+			if (typeof v === "string" && oldSet.has(v)) allow.splice(i, 1);
+		}
+		for (const name of OLD_PLUGIN_NAMES) {
+			if (entries && name in entries) delete entries[name];
+			if (installs && name in installs) delete installs[name];
+			const target = node_path.default.join(extensionsDir, name);
+			const rel = node_path.default.relative(extensionsDir, target);
+			if (!rel || rel.startsWith("..") || node_path.default.isAbsolute(rel)) continue;
+			try {
+				node_fs.default.rmSync(target, {
+					recursive: true,
+					force: true
+				});
+			} catch (e) {
+				console.error(`[old_miaoda_plugins_cleanup] rmSync ${target} failed: ${e.message}`);
+			}
+		}
+	}
+};
+OldMiaodaPluginsCleanupRule = __decorate([Rule({
+	key: "old_miaoda_plugins_cleanup",
+	description: "当新版 openclaw-extension-miaoda 已存在时，清理过时插件引用（openclaw-feishu-greeting、openclaw-miaoda-keepalive 等）",
+	dependsOn: ["config_syntax_check"],
+	repairMode: "standard",
+	level: "silent"
+})], OldMiaodaPluginsCleanupRule);
+//#endregion
+//#region src/rules/builtin-plugin-missing.ts
+/**
+* install-extension --all 安装的内置扩展插件列表（manifest role=extension）。
+* 与 miaoda-official-plugins-install-spec-unlock.ts 中的 OFFICIAL_PLUGIN_NAMES 保持一致。
+*/
+const BUILTIN_EXTENSION_PLUGINS = new Set([
+	"openclaw-lark",
+	"openclaw-extension-miaoda",
+	"openclaw-extension-miaoda-coding",
+	"openclaw-guardian-plugin",
+	"openclaw-mem0-plugin"
+]);
+function findMissingBuiltinPlugins(ctx) {
+	const extDir = getExtensionsDir(ctx.configPath);
+	return [...BUILTIN_EXTENSION_PLUGINS].filter((name) => !isPluginInstalledOnDisk(extDir, name)).sort();
+}
+let BuiltinPluginMissingRule = class BuiltinPluginMissingRule extends DiagnoseRule {
+	validate(ctx) {
+		const missing = findMissingBuiltinPlugins(ctx);
 		if (missing.length === 0) return { pass: true };
 		return {
 			pass: false,
@@ -3588,7 +3919,7 @@ function extractScopedNameFromSpec(spec) {
 	const at = spec.indexOf("@", 1);
 	return at === -1 ? spec : spec.slice(0, at);
 }
-function isLarkCliAvailable$1() {
+function isLarkCliAvailable() {
 	try {
 		return (0, node_child_process.spawnSync)(LARK_CLI_NAME$1, ["--version"], {
 			encoding: "utf-8",
@@ -3629,7 +3960,7 @@ function installLarkCliOnce(tag) {
 let LarkCliMissingForInstalledLarkPluginRule = class LarkCliMissingForInstalledLarkPluginRule extends DiagnoseRule {
 	validate(ctx) {
 		if (!isTargetForkPlugin(readInstalledLarkPlugin(ctx))) return { pass: true };
-		if (isLarkCliAvailable$1()) return { pass: true };
+		if (isLarkCliAvailable()) return { pass: true };
 		return {
 			pass: false,
 			message: `${FORK_PACKAGE_NAME}@${TARGET_VERSION} 已安装，但 lark-cli 不可用；将执行一次 lark-cli 安装`
@@ -3637,7 +3968,7 @@ let LarkCliMissingForInstalledLarkPluginRule = class LarkCliMissingForInstalledL
 	}
 	repair(ctx) {
 		if (!isTargetForkPlugin(readInstalledLarkPlugin(ctx))) return;
-		if (isLarkCliAvailable$1()) return;
+		if (isLarkCliAvailable()) return;
 		installLarkCliOnce(ctx.vars.recommendedOpenclawTag ?? TARGET_VERSION);
 	}
 };
@@ -3650,117 +3981,6 @@ LarkCliMissingForInstalledLarkPluginRule = __decorate([Rule({
 	usesVars: ["recommendedOpenclawTag"]
 })], LarkCliMissingForInstalledLarkPluginRule);
 //#endregion
-//#region src/rules/feishu-bot-channel-config.ts
-/**
-* Ensures each bot account's channel config is correct:
-*   1. `allowFrom` contains its own `creatorOpenID` from larkApps
-*   2. `appSecret` is either the canonical provider-ref or matches larkApps plaintext
-*
-* Covers both multi-account (channels.feishu.accounts) and single-account
-* (channels.feishu.appId + allowFrom at top level) layouts.
-*/
-let FeishuBotChannelConfigRule = class FeishuBotChannelConfigRule extends DiagnoseRule {
-	validate(ctx) {
-		const larkApps = ctx.vars.larkApps;
-		if (!larkApps || larkApps.length === 0) return { pass: true };
-		const feishu = asRecord(getNestedMap(ctx.config, "channels", "feishu"));
-		if (!feishu) return { pass: true };
-		const issues = [];
-		const accounts = asRecord(feishu.accounts);
-		if (accounts) for (const [accountId, account] of Object.entries(accounts)) {
-			const bot = asRecord(account);
-			if (!bot) continue;
-			const appId = bot.appId;
-			if (typeof appId !== "string" || !appId.startsWith("cli_")) continue;
-			const larkApp = larkApps.find((e) => e.larkAppID === appId);
-			if (!larkApp) continue;
-			this.checkBot(accountId, bot, larkApp, issues);
-		}
-		const singleAppId = feishu.appId;
-		if (typeof singleAppId === "string" && singleAppId.startsWith("cli_") && !accounts) {
-			const larkApp = larkApps.find((e) => e.larkAppID === singleAppId);
-			if (larkApp) this.checkBot("feishu", feishu, larkApp, issues);
-		}
-		if (issues.length === 0) return { pass: true };
-		return {
-			pass: false,
-			message: issues.join("; ")
-		};
-	}
-	/** Check a single bot entry (either an account object or the feishu channel itself).
-	*  appSecret is validated based on its current type:
-	*  - object → must match canonical provider-ref
-	*  - string → must match larkApps plaintext
-	*/
-	checkBot(label, bot, larkApp, issues) {
-		const creatorOpenID = larkApp.creatorOpenID;
-		const allowFrom = Array.isArray(bot.allowFrom) ? bot.allowFrom : [];
-		if (typeof creatorOpenID === "string" && creatorOpenID !== "") {
-			if (!allowFrom.includes(creatorOpenID)) issues.push(`${label} allowFrom missing creatorOpenID ${creatorOpenID.length > 8 ? creatorOpenID.slice(0, 4) + "***" + creatorOpenID.slice(-4) : "***"}`);
-		} else if (allowFrom.length === 0) issues.push(`${label} allowFrom is empty (creatorOpenID unavailable, cannot auto-fix)`);
-		const secret = bot.appSecret;
-		if (typeof secret === "object" && secret !== null && !Array.isArray(secret)) {
-			if (!matchMap(secret, DEFAULT_FEISHU_APP_SECRET)) issues.push(`${label} appSecret is a provider-ref but not the canonical one`);
-		} else if (typeof secret === "string") {
-			if (secret !== larkApp.appSecret) issues.push(`${label} appSecret plaintext mismatch`);
-		} else issues.push(`${label} appSecret has unexpected type ${typeof secret}`);
-	}
-	repair(ctx) {
-		const larkApps = ctx.vars.larkApps;
-		if (!larkApps || larkApps.length === 0) return;
-		const feishu = asRecord(getNestedMap(ctx.config, "channels", "feishu"));
-		if (!feishu) return;
-		const accounts = asRecord(feishu.accounts);
-		if (accounts) for (const [, account] of Object.entries(accounts)) {
-			const bot = asRecord(account);
-			if (!bot) continue;
-			const appId = bot.appId;
-			if (typeof appId !== "string" || !appId.startsWith("cli_")) continue;
-			const larkApp = larkApps.find((e) => e.larkAppID === appId);
-			if (!larkApp) continue;
-			this.fixBot(bot, larkApp);
-		}
-		const singleAppId = feishu.appId;
-		if (typeof singleAppId === "string" && singleAppId.startsWith("cli_") && !accounts) {
-			const larkApp = larkApps.find((e) => e.larkAppID === singleAppId);
-			if (larkApp) this.fixBot(feishu, larkApp);
-		}
-	}
-	/** Fix a single bot entry in-place.
-	*  appSecret is repaired based on its current type:
-	*  - object → fix to canonical provider-ref
-	*  - string → fix to larkApps plaintext
-	*/
-	fixBot(bot, larkApp) {
-		const creatorOpenID = larkApp.creatorOpenID;
-		if (typeof creatorOpenID === "string" && creatorOpenID !== "") {
-			const allowFrom = Array.isArray(bot.allowFrom) ? [...bot.allowFrom] : [];
-			if (!allowFrom.includes(creatorOpenID)) {
-				allowFrom.push(creatorOpenID);
-				bot.allowFrom = allowFrom;
-			}
-		}
-		const secret = bot.appSecret;
-		if (typeof secret === "object" && secret !== null && !Array.isArray(secret)) {
-			if (!matchMap(secret, DEFAULT_FEISHU_APP_SECRET)) bot.appSecret = { ...DEFAULT_FEISHU_APP_SECRET };
-		} else if (typeof secret === "string") {
-			if (secret !== larkApp.appSecret) bot.appSecret = larkApp.appSecret;
-		}
-	}
-};
-FeishuBotChannelConfigRule = __decorate([Rule({
-	key: "feishu_bot_channel_config",
-	description: "确保飞书配置中 bot 账号的 allowFrom 包含其创建者 openID 且 appSecret 值正确",
-	dependsOn: [
-		"config_syntax_check",
-		"feishu_default_account",
-		"feishu_bot_id"
-	],
-	repairMode: "standard",
-	usesVars: ["larkApps"],
-	level: "critical"
-})], FeishuBotChannelConfigRule);
-//#endregion
 //#region src/check.ts
 /** Telemetry-aware entry: returns both the legacy CheckResult (for stdout)
 *  AND a DoctorReport-shape payload (for `openclaw.report_cli_run`). The
@@ -4201,32 +4421,8 @@ function finalize$1(results, aborted) {
 	};
 }
 //#endregion
-//#region src/paths.ts
-/**
-* Central directory for all ephemeral diagnose/reset artifacts: task status
-* files (`reset-<taskId>.json`) and human-readable step logs
-* (`reset-<taskId>.log`). Having everything under one dir makes debugging a
-* stuck reset much easier — `ls /tmp/openclaw-diagnose/` shows every recent
-* run, and each run's log is right next to its state.
-*/
-const DIAGNOSE_DIR = "/tmp/openclaw-diagnose";
-function resetResultFile(taskId) {
-	return `${DIAGNOSE_DIR}/reset-${taskId}.json`;
-}
-function resetLogFile(taskId) {
-	return `${DIAGNOSE_DIR}/reset-${taskId}.log`;
-}
-/** Sandbox workspace root where openclaw config + agent state lives. */
-const WORKSPACE_DIR = "/home/gem/workspace/agent";
-/** File containing the provider key used by the openclaw miaoda provider. */
-const PROVIDER_FILE_PATH = "/home/gem/workspace/.force/openclaw/miaoda-provider-key";
-/** File containing the miaoda openclaw secrets JSON. */
-const SECRETS_FILE_PATH = "/home/gem/workspace/.force/openclaw/miaoda-openclaw-secrets.json";
-/** Absolute path to the openclaw config JSON. */
-const CONFIG_PATH = `${WORKSPACE_DIR}/openclaw.json`;
-//#endregion
-//#region src/run-log.ts
-let currentRunContext;
+//#region src/run-log.ts
+let currentRunContext;
 /**
 * Install the run context for this CLI execution. Must be called once at
 * the top of `main()` before any subcommand work; idempotent (last call
@@ -4360,10 +4556,9 @@ function makeLogger(logFile) {
 /**
 * Start an async reset task: spawn a detached child process and return the taskId.
 *
-* The child process runs: node cli.js reset --worker --task-id=xxx
-* The worker fetches ctx from innerApi itself — no --ctx passthrough.
+* The child process runs: node cli.js reset --worker --task-id=xxx --ctx=base64
 */
-function startAsyncReset() {
+function startAsyncReset(ctxBase64) {
 	const taskId = (0, node_crypto.randomUUID)();
 	const resultFile = resetResultFile(taskId);
 	const log = makeLogger(resetLogFile(taskId));
@@ -4387,7 +4582,8 @@ function startAsyncReset() {
 		process.argv[1],
 		"reset",
 		"--worker",
-		`--task-id=${taskId}`
+		`--task-id=${taskId}`,
+		`--ctx=${ctxBase64}`
 	], {
 		detached: true,
 		stdio: "ignore",
@@ -4505,557 +4701,297 @@ function describeCause(c, depth = 0) {
 		const head = code ? `${code} ${c.message}` : c.message;
 		const inner = describeCause(c.cause, depth + 1);
 		return inner ? `${head} <- ${inner}` : head;
-	}
-	return String(c);
-}
-/** Strip query string — OSS signed URLs put the auth token there. Keeps
-*  protocol/host/path so the operator can tell *which* OSS bucket / object
-*  was being fetched. */
-function redactUrl(raw) {
-	try {
-		const u = new URL(raw);
-		const tail = u.search ? "?<redacted>" : "";
-		return `${u.protocol}//${u.host}${u.pathname}${tail}`;
-	} catch {
-		return "<invalid-url>";
-	}
-}
-function originOf(raw) {
-	try {
-		return new URL(raw).host;
-	} catch {
-		return "unknown-host";
-	}
-}
-//#endregion
-//#region src/oss/fetchManifest.ts
-const MANIFEST_PREFIX = "builtin/manifests/openclaw/recommended/";
-const MANIFEST_SUFFIX = ".json";
-const manifestCache = /* @__PURE__ */ new Map();
-async function fetchManifest(ossFileMap, tag) {
-	const key = `${MANIFEST_PREFIX}${tag}${MANIFEST_SUFFIX}`;
-	const url = ossFileMap[key];
-	if (!url) {
-		const available = Object.keys(ossFileMap).filter((k) => k.startsWith(MANIFEST_PREFIX) && k.endsWith(MANIFEST_SUFFIX)).map((k) => k.slice(39, -5));
-		const availStr = available.length ? available.join(", ") : "(none)";
-		throw new Error(`manifest signed URL missing for tag "${tag}" (key ${key}). Available tags in ossFileMap: ${availStr}. Either pass an available tag or update the studio_server TCC openclaw_upgrade_config supported_versions.`);
-	}
-	const cached = manifestCache.get(url);
-	if (cached) return cached;
-	const label = `openclaw manifest tag=${tag}`;
-	const res = await fetchWithDiag(url, { label });
-	if (!res.ok) {
-		const body = await readPreview(res);
-		throw new Error(`${label}: HTTP ${res.status} ${res.statusText}` + (body ? ` body=${body}` : ""));
-	}
-	const manifest = await res.json();
-	manifestCache.set(url, manifest);
-	return manifest;
-}
-/** Best-effort body preview for HTTP-error diagnostics. OSS errors are
-*  XML; first 256 chars usually contain the <Code> + <Message> we care
-*  about. Failures here are swallowed (logging-only, not load-bearing). */
-async function readPreview(res) {
-	try {
-		return (await res.text()).slice(0, 256);
-	} catch {
-		return "";
-	}
-}
-async function downloadWithCache(pkg, ossFileMap, opts = {}) {
-	const cacheRoot = opts.cacheRoot ?? "/tmp/openclaw-diagnose/resources";
-	const shortHash = pkg.shasum.slice(0, 16);
-	const destDir = node_path.default.join(cacheRoot, shortHash);
-	const destFile = node_path.default.join(destDir, node_path.default.posix.basename(pkg.ossKey));
-	node_fs.default.mkdirSync(destDir, { recursive: true });
-	if (node_fs.default.existsSync(destFile)) return destFile;
-	const url = ossFileMap[pkg.ossKey];
-	if (!url) throw new Error(`signed URL missing for ${pkg.ossKey}`);
-	if (!pkg.integrity.startsWith("sha512-")) throw new Error(`unsupported integrity format: ${pkg.integrity}`);
-	const expected = pkg.integrity.slice(7);
-	const tmpFile = node_path.default.join(destDir, `.tmp.${process.pid}.${node_crypto.default.randomBytes(4).toString("hex")}`);
-	try {
-		const label = `download ${pkg.ossKey}`;
-		const res = await fetchWithDiag(url, {
-			label,
-			timeoutMs: 6e4
-		});
-		if (!res.ok) {
-			let preview = "";
-			try {
-				preview = (await res.text()).slice(0, 256);
-			} catch {}
-			throw new Error(`${label}: HTTP ${res.status} ${res.statusText}` + (preview ? ` body=${preview}` : ""));
-		}
-		if (!res.body) throw new Error(`${label}: empty body`);
-		const hasher = node_crypto.default.createHash("sha512");
-		const source = node_stream.Readable.fromWeb(res.body);
-		async function* teeAndHash(src) {
-			for await (const chunk of src) {
-				hasher.update(chunk);
-				yield chunk;
-			}
-		}
-		await (0, node_stream_promises.pipeline)(source, teeAndHash, node_fs.default.createWriteStream(tmpFile));
-		const actual = hasher.digest("base64");
-		if (actual !== expected) {
-			const envBypass = process.env.OPENCLAW_DEBUG_SKIP_INTEGRITY === "1";
-			if (opts.skipIntegrity || envBypass) {
-				const sourceLabel = opts.skipIntegrity ? "skipIntegrity=true" : "OPENCLAW_DEBUG_SKIP_INTEGRITY=1";
-				console.error(`⚠ [downloadWithCache] INTEGRITY BYPASS for ${pkg.ossKey}: expected ${expected.slice(0, 12)}… got ${actual.slice(0, 12)}… — ${sourceLabel}. DO NOT use this flag in production.`);
-			} else throw new Error(`integrity mismatch for ${pkg.ossKey}: expected ${expected} got ${actual}`);
-		}
-		moveSafe(tmpFile, destFile);
-		return destFile;
-	} catch (e) {
-		try {
-			node_fs.default.unlinkSync(tmpFile);
-		} catch {}
-		throw e;
-	}
-}
-//#endregion
-//#region src/install-openclaw.ts
-async function installOpenclaw(openclawTag, ossFileMap, opts = {}) {
-	const homeBase = resolveHomeBase(opts.homeBase);
-	const t0 = Date.now();
-	const pkg = (await fetchManifest(ossFileMap, openclawTag)).packages.find((p) => p.role === "cli" && p.name === "openclaw");
-	if (!pkg) throw new Error("install-openclaw: role=cli,name=openclaw not found in manifest");
-	const targetDir = opts.targetDir ?? node_path.default.join(homeBase, pkg.installPath);
-	const bakDir = targetDir + ".bak";
-	const newDir = targetDir + ".new";
-	const tarball = await downloadWithCache(pkg, ossFileMap, opts);
-	console.error(`[install-openclaw] tag=${openclawTag} shasum=${pkg.shasum.slice(0, 12)}...`);
-	if (node_fs.default.existsSync(newDir)) node_fs.default.rmSync(newDir, {
-		recursive: true,
-		force: true
-	});
-	if (node_fs.default.existsSync(bakDir)) node_fs.default.rmSync(bakDir, {
-		recursive: true,
-		force: true
-	});
-	node_fs.default.mkdirSync(node_path.default.dirname(targetDir), { recursive: true });
-	const tmpStage = node_fs.default.mkdtempSync(node_path.default.join(opts.tmpRoot ?? node_os.default.tmpdir(), "openclaw-install-"));
-	try {
-		extractTarballTolerant(tarball, tmpStage, { stripComponents: 1 });
-		if (!node_fs.default.existsSync(node_path.default.join(tmpStage, "package.json"))) throw new Error("extracted tarball missing package.json");
-		moveSafe(tmpStage, newDir);
-		const hadExisting = node_fs.default.existsSync(targetDir);
-		try {
-			if (hadExisting) moveSafe(targetDir, bakDir);
-			moveSafe(newDir, targetDir);
-		} catch (e) {
-			if (hadExisting && !node_fs.default.existsSync(targetDir) && node_fs.default.existsSync(bakDir)) try {
-				moveSafe(bakDir, targetDir);
-			} catch {}
-			try {
-				node_fs.default.rmSync(newDir, {
-					recursive: true,
-					force: true
-				});
-			} catch {}
-			throw e;
-		}
-		if (hadExisting && node_fs.default.existsSync(bakDir)) node_fs.default.rmSync(bakDir, {
-			recursive: true,
-			force: true
-		});
-	} finally {
-		if (node_fs.default.existsSync(tmpStage)) try {
-			node_fs.default.rmSync(tmpStage, {
-				recursive: true,
-				force: true
-			});
-		} catch {}
-	}
-	console.error(`[install-openclaw] done in ${Date.now() - t0}ms`);
-}
-async function installExtension(tag, ossFileMap, opts = {}) {
-	const homeBase = resolveHomeBase(opts.homeBase);
-	const hasAll = !!opts.all;
-	const hasNames = (opts.names?.length ?? 0) > 0;
-	if (hasAll && hasNames) throw new Error("install-extension: --all and --extension are mutually exclusive");
-	if (!hasAll && !hasNames) throw new Error("install-extension: must provide --all or --extension=<name>");
-	const allExts = (await fetchManifest(ossFileMap, tag)).packages.filter((p) => p.role === "extension");
-	let targets;
-	if (hasAll) targets = allExts;
-	else {
-		const wanted = new Set(opts.names);
-		targets = allExts.filter((p) => wanted.has(p.name) || p.packageName != null && wanted.has(p.packageName));
-		const foundKeys = /* @__PURE__ */ new Set();
-		for (const t of targets) {
-			foundKeys.add(t.name);
-			if (t.packageName) foundKeys.add(t.packageName);
-		}
-		const missing = opts.names.filter((n) => !foundKeys.has(n));
-		if (missing.length > 0) throw new Error(`install-extension: not found in manifest: ${missing.join(", ")}`);
-	}
-	console.error(`[install-extension] tag=${tag} targets=${targets.length}`);
-	const t0 = Date.now();
-	const tarballs = await Promise.all(targets.map(async (p) => {
-		const tb = await downloadWithCache(p, ossFileMap, opts);
-		console.error(`[install-extension]   ${p.name}: downloaded`);
-		return {
-			pkg: p,
-			tarball: tb
-		};
-	}));
-	for (const { pkg, tarball } of tarballs) {
-		installOne$1(pkg, tarball, homeBase);
-		console.error(`[install-extension]   ${pkg.name}: installed`);
-	}
-	if (!opts.skipConfigUpdate) updatePluginInstalls(opts.configPath ?? node_path.default.join(homeBase, "workspace/agent/openclaw.json"), targets);
-	else console.error(`[install-extension] skipConfigUpdate=true — not touching openclaw.json`);
-	console.error(`[install-extension] done ${targets.length}/${targets.length} in ${Date.now() - t0}ms`);
-}
-const MEM0_PLUGIN_NAME = "openclaw-mem0-plugin";
-const PLUGINS_TO_AUTO_ENABLE = ["openclaw-lark", "openclaw-extension-miaoda"];
-/**
-* Merge each installed extension's installMetadata into openclaw.json's
-* plugins.installs[<pkg.name>]. Atomic write via tmp + rename.
-*
-* - No openclaw.json → log + return (not an error; some install contexts don't have it yet)
-* - Extension without installMetadata in manifest → skip that entry (log)
-* - Existing plugins.installs entries for other extensions left untouched
-*
-* Special-case for mem0: when openclaw-mem0-plugin is among the installed
-* targets, also append it to plugins.allow (idempotent) and seed
-* plugins.entries.openclaw-mem0-plugin = { enabled: false } when the key
-* is absent. Existing values are preserved (user toggles survive).
-*/
-function updatePluginInstalls(configPath, installedPkgs) {
-	if (!node_fs.default.existsSync(configPath)) {
-		console.error(`[install-extension] no config at ${configPath} — skip plugins.installs update`);
-		return;
-	}
-	const JSON5 = loadJSON5();
-	const raw = node_fs.default.readFileSync(configPath, "utf-8");
-	const config = JSON5.parse(raw);
-	if (!config.plugins || typeof config.plugins !== "object") config.plugins = {};
-	const plugins = config.plugins;
-	if (!plugins.installs || typeof plugins.installs !== "object") plugins.installs = {};
-	const installs = plugins.installs;
-	let updated = 0;
-	let skipped = 0;
-	for (const pkg of installedPkgs) if (pkg.installMetadata) {
-		installs[pkg.name] = pkg.installMetadata;
-		updated++;
-	} else skipped++;
-	if (installedPkgs.some((p) => p.name === MEM0_PLUGIN_NAME)) {
-		const allowRaw = plugins.allow;
-		const allow = Array.isArray(allowRaw) ? allowRaw : [];
-		if (!allow.filter((e) => typeof e === "string").includes(MEM0_PLUGIN_NAME)) allow.push(MEM0_PLUGIN_NAME);
-		plugins.allow = allow;
-		if (!plugins.entries || typeof plugins.entries !== "object" || Array.isArray(plugins.entries)) plugins.entries = {};
-		const entries = plugins.entries;
-		if (!(MEM0_PLUGIN_NAME in entries)) entries[MEM0_PLUGIN_NAME] = { enabled: false };
-	}
-	for (const pkg of installedPkgs) {
-		if (!PLUGINS_TO_AUTO_ENABLE.includes(pkg.name)) continue;
-		if (!Array.isArray(plugins.allow)) plugins.allow = [];
-		const allow = plugins.allow;
-		if (!allow.includes(pkg.name)) allow.push(pkg.name);
-		if (!plugins.entries || typeof plugins.entries !== "object" || Array.isArray(plugins.entries)) plugins.entries = {};
-		const entries = plugins.entries;
-		entries[pkg.name] = {
-			...asRecord(entries[pkg.name]) ?? {},
-			enabled: true
-		};
-	}
-	const tmpPath = configPath + ".installs-tmp";
-	node_fs.default.writeFileSync(tmpPath, JSON.stringify(config, null, 2), "utf-8");
-	moveSafe(tmpPath, configPath);
-	console.error(`[install-extension] plugins.installs updated: ${updated} entry(ies) in ${configPath}` + (skipped > 0 ? ` (${skipped} package(s) without installMetadata skipped)` : ""));
-}
-function installOne$1(pkg, tarball, homeBase) {
-	const destDir = node_path.default.join(homeBase, pkg.installPath);
-	const stagingDir = destDir + ".new";
-	const oldDir = destDir + ".old";
-	node_fs.default.mkdirSync(node_path.default.dirname(destDir), { recursive: true });
-	if (node_fs.default.existsSync(stagingDir)) node_fs.default.rmSync(stagingDir, {
-		recursive: true,
-		force: true
-	});
-	node_fs.default.mkdirSync(stagingDir);
-	try {
-		extractTarballTolerant(tarball, stagingDir, { stripComponents: 1 });
-		if (!node_fs.default.existsSync(node_path.default.join(stagingDir, "package.json"))) throw new Error(`extension tarball missing package.json: ${pkg.name}`);
-	} catch (e) {
-		try {
-			node_fs.default.rmSync(stagingDir, {
-				recursive: true,
-				force: true
-			});
-		} catch {}
-		throw e;
-	}
-	const hadOld = node_fs.default.existsSync(destDir);
-	if (hadOld) moveSafe(destDir, oldDir);
-	moveSafe(stagingDir, destDir);
-	if (hadOld && node_fs.default.existsSync(oldDir)) node_fs.default.rmSync(oldDir, {
-		recursive: true,
-		force: true
-	});
-}
-//#endregion
-//#region src/lark-cli-init.ts
-const LARK_PLUGIN_NAMES = ["openclaw-lark", "feishu-openclaw-plugin"];
-const PE_XML_TAG = "lark-cli-pe";
-const PE_PLACEHOLDER = `
-<${PE_XML_TAG}>
-**【强制要求 - 无例外】飞书所有操作必须先读 feishu-lark-cli skill。未读skill不得调用任何飞书工具，违者视为操作失误。**
-</${PE_XML_TAG}>
-`;
-function isLarkPluginInstalled(configPath) {
-	const extDir = getExtensionsDir(configPath);
-	return LARK_PLUGIN_NAMES.some((name) => {
-		try {
-			return node_fs.default.existsSync(node_path.default.join(extDir, name, "package.json"));
-		} catch {
-			return false;
-		}
-	});
+	}
+	return String(c);
 }
-function isLarkCliAvailable() {
+/** Strip query string — OSS signed URLs put the auth token there. Keeps
+*  protocol/host/path so the operator can tell *which* OSS bucket / object
+*  was being fetched. */
+function redactUrl(raw) {
 	try {
-		return (0, node_child_process.spawnSync)("lark-cli", ["--version"], {
-			encoding: "utf-8",
-			timeout: 5e3,
-			stdio: [
-				"ignore",
-				"pipe",
-				"ignore"
-			]
-		}).status === 0;
+		const u = new URL(raw);
+		const tail = u.search ? "?<redacted>" : "";
+		return `${u.protocol}//${u.host}${u.pathname}${tail}`;
 	} catch {
-		return false;
+		return "<invalid-url>";
 	}
 }
-function readConfig(configPath) {
+function originOf(raw) {
 	try {
-		const raw = node_fs.default.readFileSync(configPath, "utf-8");
-		const parsed = loadJSON5().parse(raw);
-		return parsed != null && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+		return new URL(raw).host;
 	} catch {
-		return null;
-	}
-}
-/**
-* Resolve the feishu app secret for the given appId.
-*
-* Lookup order:
-*   1. channels.feishu.appSecret  (single-agent: feishu.appId === appId)
-*   2. channels.feishu.accounts[key].appSecret  (multi-agent: account.appId === appId)
-*
-* Value interpretation:
-*   - string  → use directly
-*   - object  → secret is managed by a provider; use `feishuAppSecret` param instead
-*
-* Returns null when the secret cannot be determined.
-*/
-function resolveAppSecret(appId, config, feishuAppSecret) {
-	const feishu = getNestedMap(config, "channels", "feishu");
-	if (!feishu) return null;
-	let rawSecret;
-	if (typeof feishu.appId === "string" && feishu.appId === appId) rawSecret = feishu.appSecret;
-	else {
-		const accounts = asRecord(feishu.accounts);
-		if (accounts) for (const [, val] of Object.entries(accounts)) {
-			const account = asRecord(val);
-			if (account?.appId === appId) {
-				rawSecret = account.appSecret ?? feishu.appSecret;
-				break;
-			}
-		}
+		return "unknown-host";
 	}
-	if (typeof rawSecret === "string" && rawSecret) return rawSecret;
-	if (rawSecret != null && typeof rawSecret === "object") return feishuAppSecret ?? null;
-	return null;
 }
-/**
-* Resolve the agents.md path for the given appId from the openclaw config.
-*
-* Case 1: appId matches channels.feishu.appId (single-agent path)
-*   → WORKSPACE_DIR/AGENTS.md
-*
-* Case 2: appId found in channels.feishu.accounts (multi-agent path)
-*   → find account key where account.appId === appId
-*   → find binding where match.channel=feishu && match.accountId=that key
-*   → if agentId === 'main'  → WORKSPACE_DIR/agents.md
-*   → else find agent in agents.list by id → agent.workspace/agents.md
-*
-* Returns null when the path cannot be determined.
-*/
-function resolveAgentsMdPath(appId, config) {
-	const feishu = getNestedMap(config, "channels", "feishu");
-	if (!feishu) {
-		console.error("resolveAgentsMdPath: channels.feishu not found");
-		return null;
-	}
-	if (typeof feishu.appId === "string" && feishu.appId === appId) {
-		console.error(`resolveAgentsMdPath: case=single-agent feishu.appId=${feishu.appId}`);
-		return node_path.default.join(WORKSPACE_DIR, "workspace", "AGENTS.md");
-	}
-	const accounts = asRecord(feishu.accounts);
-	if (!accounts) {
-		console.error("resolveAgentsMdPath: feishu.accounts not found");
-		return null;
+//#endregion
+//#region src/oss/fetchManifest.ts
+const MANIFEST_PREFIX = "builtin/manifests/openclaw/recommended/";
+const MANIFEST_SUFFIX = ".json";
+const manifestCache = /* @__PURE__ */ new Map();
+async function fetchManifest(ossFileMap, tag) {
+	const key = `${MANIFEST_PREFIX}${tag}${MANIFEST_SUFFIX}`;
+	const url = ossFileMap[key];
+	if (!url) {
+		const available = Object.keys(ossFileMap).filter((k) => k.startsWith(MANIFEST_PREFIX) && k.endsWith(MANIFEST_SUFFIX)).map((k) => k.slice(39, -5));
+		const availStr = available.length ? available.join(", ") : "(none)";
+		throw new Error(`manifest signed URL missing for tag "${tag}" (key ${key}). Available tags in ossFileMap: ${availStr}. Either pass an available tag or update the studio_server TCC openclaw_upgrade_config supported_versions.`);
 	}
-	let accountId;
-	for (const [key, val] of Object.entries(accounts)) if (asRecord(val)?.appId === appId) {
-		accountId = key;
-		break;
+	const cached = manifestCache.get(url);
+	if (cached) return cached;
+	const label = `openclaw manifest tag=${tag}`;
+	const res = await fetchWithDiag(url, { label });
+	if (!res.ok) {
+		const body = await readPreview(res);
+		throw new Error(`${label}: HTTP ${res.status} ${res.statusText}` + (body ? ` body=${body}` : ""));
 	}
-	if (!accountId) {
-		console.error(`resolveAgentsMdPath: no account found with appId=${appId} in feishu.accounts keys=[${Object.keys(accounts).join(",")}]`);
-		return null;
+	const manifest = await res.json();
+	manifestCache.set(url, manifest);
+	return manifest;
+}
+/** Best-effort body preview for HTTP-error diagnostics. OSS errors are
+*  XML; first 256 chars usually contain the <Code> + <Message> we care
+*  about. Failures here are swallowed (logging-only, not load-bearing). */
+async function readPreview(res) {
+	try {
+		return (await res.text()).slice(0, 256);
+	} catch {
+		return "";
 	}
-	console.error(`resolveAgentsMdPath: found accountId=${accountId}`);
-	const bindings = Array.isArray(config.bindings) ? config.bindings : [];
-	let agentId;
-	for (const b of bindings) {
-		const binding = asRecord(b);
-		if (!binding) continue;
-		const match = asRecord(binding.match);
-		if (match?.channel === "feishu" && match?.accountId === accountId) {
-			if (typeof binding.agentId === "string") {
-				agentId = binding.agentId;
-				break;
+}
+async function downloadWithCache(pkg, ossFileMap, opts = {}) {
+	const cacheRoot = opts.cacheRoot ?? "/tmp/openclaw-diagnose/resources";
+	const shortHash = pkg.shasum.slice(0, 16);
+	const destDir = node_path.default.join(cacheRoot, shortHash);
+	const destFile = node_path.default.join(destDir, node_path.default.posix.basename(pkg.ossKey));
+	node_fs.default.mkdirSync(destDir, { recursive: true });
+	if (node_fs.default.existsSync(destFile)) return destFile;
+	const url = ossFileMap[pkg.ossKey];
+	if (!url) throw new Error(`signed URL missing for ${pkg.ossKey}`);
+	if (!pkg.integrity.startsWith("sha512-")) throw new Error(`unsupported integrity format: ${pkg.integrity}`);
+	const expected = pkg.integrity.slice(7);
+	const tmpFile = node_path.default.join(destDir, `.tmp.${process.pid}.${node_crypto.default.randomBytes(4).toString("hex")}`);
+	try {
+		const label = `download ${pkg.ossKey}`;
+		const res = await fetchWithDiag(url, {
+			label,
+			timeoutMs: 6e4
+		});
+		if (!res.ok) {
+			let preview = "";
+			try {
+				preview = (await res.text()).slice(0, 256);
+			} catch {}
+			throw new Error(`${label}: HTTP ${res.status} ${res.statusText}` + (preview ? ` body=${preview}` : ""));
+		}
+		if (!res.body) throw new Error(`${label}: empty body`);
+		const hasher = node_crypto.default.createHash("sha512");
+		const source = node_stream.Readable.fromWeb(res.body);
+		async function* teeAndHash(src) {
+			for await (const chunk of src) {
+				hasher.update(chunk);
+				yield chunk;
 			}
 		}
+		await (0, node_stream_promises.pipeline)(source, teeAndHash, node_fs.default.createWriteStream(tmpFile));
+		const actual = hasher.digest("base64");
+		if (actual !== expected) {
+			const envBypass = process.env.OPENCLAW_DEBUG_SKIP_INTEGRITY === "1";
+			if (opts.skipIntegrity || envBypass) {
+				const sourceLabel = opts.skipIntegrity ? "skipIntegrity=true" : "OPENCLAW_DEBUG_SKIP_INTEGRITY=1";
+				console.error(`⚠ [downloadWithCache] INTEGRITY BYPASS for ${pkg.ossKey}: expected ${expected.slice(0, 12)}… got ${actual.slice(0, 12)}… — ${sourceLabel}. DO NOT use this flag in production.`);
+			} else throw new Error(`integrity mismatch for ${pkg.ossKey}: expected ${expected} got ${actual}`);
+		}
+		moveSafe(tmpFile, destFile);
+		return destFile;
+	} catch (e) {
+		try {
+			node_fs.default.unlinkSync(tmpFile);
+		} catch {}
+		throw e;
 	}
-	if (!agentId) {
-		console.error(`resolveAgentsMdPath: no binding found for accountId=${accountId} in bindings(count=${bindings.length})`);
-		return null;
-	}
-	console.error(`resolveAgentsMdPath: found agentId=${agentId}`);
-	if (agentId === "main") {
-		console.error("resolveAgentsMdPath: case=multi-agent-main");
-		return node_path.default.join(WORKSPACE_DIR, "workspace", "AGENTS.md");
-	}
-	const agentsObj = asRecord(config.agents);
-	const list = Array.isArray(agentsObj?.list) ? agentsObj.list : [];
-	for (const a of list) {
-		const agent = asRecord(a);
-		if (agent?.id === agentId) {
-			const ws = typeof agent.workspace === "string" ? agent.workspace : node_path.default.join(WORKSPACE_DIR, "workspace");
-			console.error(`resolveAgentsMdPath: case=multi-agent-custom agentId=${agentId} workspace=${ws}`);
-			return node_path.default.join(ws, "AGENTS.md");
+}
+//#endregion
+//#region src/install-openclaw.ts
+async function installOpenclaw(openclawTag, ossFileMap, opts = {}) {
+	const homeBase = resolveHomeBase(opts.homeBase);
+	const t0 = Date.now();
+	const pkg = (await fetchManifest(ossFileMap, openclawTag)).packages.find((p) => p.role === "cli" && p.name === "openclaw");
+	if (!pkg) throw new Error("install-openclaw: role=cli,name=openclaw not found in manifest");
+	const targetDir = opts.targetDir ?? node_path.default.join(homeBase, pkg.installPath);
+	const bakDir = targetDir + ".bak";
+	const newDir = targetDir + ".new";
+	const tarball = await downloadWithCache(pkg, ossFileMap, opts);
+	console.error(`[install-openclaw] tag=${openclawTag} shasum=${pkg.shasum.slice(0, 12)}...`);
+	if (node_fs.default.existsSync(newDir)) node_fs.default.rmSync(newDir, {
+		recursive: true,
+		force: true
+	});
+	if (node_fs.default.existsSync(bakDir)) node_fs.default.rmSync(bakDir, {
+		recursive: true,
+		force: true
+	});
+	node_fs.default.mkdirSync(node_path.default.dirname(targetDir), { recursive: true });
+	const tmpStage = node_fs.default.mkdtempSync(node_path.default.join(opts.tmpRoot ?? node_os.default.tmpdir(), "openclaw-install-"));
+	try {
+		extractTarballTolerant(tarball, tmpStage, { stripComponents: 1 });
+		if (!node_fs.default.existsSync(node_path.default.join(tmpStage, "package.json"))) throw new Error("extracted tarball missing package.json");
+		moveSafe(tmpStage, newDir);
+		const hadExisting = node_fs.default.existsSync(targetDir);
+		try {
+			if (hadExisting) moveSafe(targetDir, bakDir);
+			moveSafe(newDir, targetDir);
+		} catch (e) {
+			if (hadExisting && !node_fs.default.existsSync(targetDir) && node_fs.default.existsSync(bakDir)) try {
+				moveSafe(bakDir, targetDir);
+			} catch {}
+			try {
+				node_fs.default.rmSync(newDir, {
+					recursive: true,
+					force: true
+				});
+			} catch {}
+			throw e;
 		}
+		if (hadExisting && node_fs.default.existsSync(bakDir)) node_fs.default.rmSync(bakDir, {
+			recursive: true,
+			force: true
+		});
+	} finally {
+		if (node_fs.default.existsSync(tmpStage)) try {
+			node_fs.default.rmSync(tmpStage, {
+				recursive: true,
+				force: true
+			});
+		} catch {}
 	}
-	console.error(`resolveAgentsMdPath: agentId=${agentId} not found in agents.list(count=${list.length})`);
-	return null;
+	console.error(`[install-openclaw] done in ${Date.now() - t0}ms`);
 }
-function appendPeToAgentsMd(agentsMdPath) {
-	const dir = node_path.default.dirname(agentsMdPath);
-	if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
-	const existing = node_fs.default.existsSync(agentsMdPath) ? node_fs.default.readFileSync(agentsMdPath, "utf-8") : "";
-	if (existing.includes(`<${PE_XML_TAG}>`)) {
-		console.error(`lark-cli-init: <${PE_XML_TAG}> already present in ${agentsMdPath}, skipping`);
-		return;
+async function installExtension(tag, ossFileMap, opts = {}) {
+	const homeBase = resolveHomeBase(opts.homeBase);
+	const hasAll = !!opts.all;
+	const hasNames = (opts.names?.length ?? 0) > 0;
+	if (hasAll && hasNames) throw new Error("install-extension: --all and --extension are mutually exclusive");
+	if (!hasAll && !hasNames) throw new Error("install-extension: must provide --all or --extension=<name>");
+	const allExts = (await fetchManifest(ossFileMap, tag)).packages.filter((p) => p.role === "extension");
+	let targets;
+	if (hasAll) targets = allExts;
+	else {
+		const wanted = new Set(opts.names);
+		targets = allExts.filter((p) => wanted.has(p.name) || p.packageName != null && wanted.has(p.packageName));
+		const foundKeys = /* @__PURE__ */ new Set();
+		for (const t of targets) {
+			foundKeys.add(t.name);
+			if (t.packageName) foundKeys.add(t.packageName);
+		}
+		const missing = opts.names.filter((n) => !foundKeys.has(n));
+		if (missing.length > 0) throw new Error(`install-extension: not found in manifest: ${missing.join(", ")}`);
 	}
-	const sep = existing.length > 0 && !existing.endsWith("\n") ? "\n" : "";
-	node_fs.default.appendFileSync(agentsMdPath, `${sep}${PE_PLACEHOLDER}`, "utf-8");
-	console.error(`lark-cli-init: appended PE placeholder to ${agentsMdPath}`);
+	console.error(`[install-extension] tag=${tag} targets=${targets.length}`);
+	const t0 = Date.now();
+	const tarballs = await Promise.all(targets.map(async (p) => {
+		const tb = await downloadWithCache(p, ossFileMap, opts);
+		console.error(`[install-extension]   ${p.name}: downloaded`);
+		return {
+			pkg: p,
+			tarball: tb
+		};
+	}));
+	for (const { pkg, tarball } of tarballs) {
+		installOne$1(pkg, tarball, homeBase);
+		console.error(`[install-extension]   ${pkg.name}: installed`);
+	}
+	if (!opts.skipConfigUpdate) updatePluginInstalls(opts.configPath ?? node_path.default.join(homeBase, "workspace/agent/openclaw.json"), targets);
+	else console.error(`[install-extension] skipConfigUpdate=true — not touching openclaw.json`);
+	console.error(`[install-extension] done ${targets.length}/${targets.length} in ${Date.now() - t0}ms`);
 }
+const MEM0_PLUGIN_NAME = "openclaw-mem0-plugin";
+const PLUGINS_TO_AUTO_ENABLE = ["openclaw-lark", "openclaw-extension-miaoda"];
 /**
-* Collect every Feishu bot appId declared in the openclaw config.
-* Covers both single-agent (channels.feishu.appId) and multi-agent
-* (channels.feishu.accounts[*].appId) layouts. Returns a deduplicated list.
+* Merge each installed extension's installMetadata into openclaw.json's
+* plugins.installs[<pkg.name>]. Atomic write via tmp + rename.
+*
+* - No openclaw.json → log + return (not an error; some install contexts don't have it yet)
+* - Extension without installMetadata in manifest → skip that entry (log)
+* - Existing plugins.installs entries for other extensions left untouched
+*
+* Special-case for mem0: when openclaw-mem0-plugin is among the installed
+* targets, also append it to plugins.allow (idempotent) and seed
+* plugins.entries.openclaw-mem0-plugin = { enabled: false } when the key
+* is absent. Existing values are preserved (user toggles survive).
 */
-function collectFeishuAppIds(configPath) {
-	const config = readConfig(configPath ?? CONFIG_PATH);
-	if (!config) return [];
-	const feishu = getNestedMap(config, "channels", "feishu");
-	if (!feishu) return [];
-	const appIds = /* @__PURE__ */ new Set();
-	const topAppId = feishu.appId;
-	if (typeof topAppId === "string" && topAppId.trim()) appIds.add(topAppId.trim());
-	const accounts = asRecord(feishu.accounts);
-	if (accounts) for (const val of Object.values(accounts)) {
-		const appId = asRecord(val)?.appId;
-		if (typeof appId === "string" && appId.trim()) appIds.add(appId.trim());
+function updatePluginInstalls(configPath, installedPkgs) {
+	if (!node_fs.default.existsSync(configPath)) {
+		console.error(`[install-extension] no config at ${configPath} — skip plugins.installs update`);
+		return;
 	}
-	return [...appIds];
-}
-function runLarkCliInit(opts) {
-	const configPath = opts.configPath ?? CONFIG_PATH;
-	if (!isLarkPluginInstalled(configPath)) {
-		console.error("lark-cli-init: skipping — openclaw-lark plugin not installed");
-		return {
-			ok: true,
-			skipped: true,
-			skipReason: "openclaw-lark plugin not installed"
-		};
+	const JSON5 = loadJSON5();
+	const raw = node_fs.default.readFileSync(configPath, "utf-8");
+	const config = JSON5.parse(raw);
+	if (!config.plugins || typeof config.plugins !== "object") config.plugins = {};
+	const plugins = config.plugins;
+	if (!plugins.installs || typeof plugins.installs !== "object") plugins.installs = {};
+	const installs = plugins.installs;
+	let updated = 0;
+	let skipped = 0;
+	for (const pkg of installedPkgs) if (pkg.installMetadata) {
+		installs[pkg.name] = pkg.installMetadata;
+		updated++;
+	} else skipped++;
+	if (installedPkgs.some((p) => p.name === MEM0_PLUGIN_NAME)) {
+		const allowRaw = plugins.allow;
+		const allow = Array.isArray(allowRaw) ? allowRaw : [];
+		if (!allow.filter((e) => typeof e === "string").includes(MEM0_PLUGIN_NAME)) allow.push(MEM0_PLUGIN_NAME);
+		plugins.allow = allow;
+		if (!plugins.entries || typeof plugins.entries !== "object" || Array.isArray(plugins.entries)) plugins.entries = {};
+		const entries = plugins.entries;
+		if (!(MEM0_PLUGIN_NAME in entries)) entries[MEM0_PLUGIN_NAME] = { enabled: false };
 	}
-	if (!isLarkCliAvailable()) {
-		console.error("lark-cli-init: skipping — lark-cli command not found");
-		return {
-			ok: true,
-			skipped: true,
-			skipReason: "lark-cli command not found"
+	for (const pkg of installedPkgs) {
+		if (!PLUGINS_TO_AUTO_ENABLE.includes(pkg.name)) continue;
+		if (!Array.isArray(plugins.allow)) plugins.allow = [];
+		const allow = plugins.allow;
+		if (!allow.includes(pkg.name)) allow.push(pkg.name);
+		if (!plugins.entries || typeof plugins.entries !== "object" || Array.isArray(plugins.entries)) plugins.entries = {};
+		const entries = plugins.entries;
+		entries[pkg.name] = {
+			...asRecord(entries[pkg.name]) ?? {},
+			enabled: true
 		};
 	}
-	const config = readConfig(configPath);
-	if (!config) return {
-		ok: false,
-		error: `could not read config at ${configPath}`
-	};
-	const agentsMdPath = resolveAgentsMdPath(opts.appId, config);
-	console.error(`lark-cli-init: resolved agents.md path=${agentsMdPath ?? "(null)"}`);
-	if (!agentsMdPath) return {
-		ok: false,
-		error: `could not resolve agents.md path for appId=${opts.appId}`
-	};
-	const appSecret = resolveAppSecret(opts.appId, config, opts.feishuAppSecret);
-	if (!appSecret) return {
-		ok: false,
-		error: `could not resolve appSecret for appId=${opts.appId}`
-	};
-	console.error(`lark-cli-init: running lark-cli config init --name ${opts.appId} --app-id ${opts.appId} --brand feishu --app-secret-stdin --force-init`);
-	const initRes = (0, node_child_process.spawnSync)("lark-cli", [
-		"config",
-		"init",
-		"--name",
-		opts.appId,
-		"--app-id",
-		opts.appId,
-		"--brand",
-		"feishu",
-		"--app-secret-stdin",
-		"--force-init"
-	], {
-		stdio: [
-			"pipe",
-			"pipe",
-			"pipe"
-		],
-		encoding: "utf-8",
-		input: appSecret
+	const tmpPath = configPath + ".installs-tmp";
+	node_fs.default.writeFileSync(tmpPath, JSON.stringify(config, null, 2), "utf-8");
+	moveSafe(tmpPath, configPath);
+	console.error(`[install-extension] plugins.installs updated: ${updated} entry(ies) in ${configPath}` + (skipped > 0 ? ` (${skipped} package(s) without installMetadata skipped)` : ""));
+}
+function installOne$1(pkg, tarball, homeBase) {
+	const destDir = node_path.default.join(homeBase, pkg.installPath);
+	const stagingDir = destDir + ".new";
+	const oldDir = destDir + ".old";
+	node_fs.default.mkdirSync(node_path.default.dirname(destDir), { recursive: true });
+	if (node_fs.default.existsSync(stagingDir)) node_fs.default.rmSync(stagingDir, {
+		recursive: true,
+		force: true
+	});
+	node_fs.default.mkdirSync(stagingDir);
+	try {
+		extractTarballTolerant(tarball, stagingDir, { stripComponents: 1 });
+		if (!node_fs.default.existsSync(node_path.default.join(stagingDir, "package.json"))) throw new Error(`extension tarball missing package.json: ${pkg.name}`);
+	} catch (e) {
+		try {
+			node_fs.default.rmSync(stagingDir, {
+				recursive: true,
+				force: true
+			});
+		} catch {}
+		throw e;
+	}
+	const hadOld = node_fs.default.existsSync(destDir);
+	if (hadOld) moveSafe(destDir, oldDir);
+	moveSafe(stagingDir, destDir);
+	if (hadOld && node_fs.default.existsSync(oldDir)) node_fs.default.rmSync(oldDir, {
+		recursive: true,
+		force: true
 	});
-	const configInitStdout = initRes.stdout?.trim() || void 0;
-	const configInitStderr = initRes.stderr?.trim() || void 0;
-	if (configInitStdout) console.error(`lark-cli config init stdout: ${configInitStdout}`);
-	if (configInitStderr) console.error(`lark-cli config init stderr: ${configInitStderr}`);
-	if (initRes.error) return {
-		ok: false,
-		configInitStdout,
-		configInitStderr,
-		error: `lark-cli config init spawn error: ${initRes.error.message}`
-	};
-	if (initRes.status !== 0) return {
-		ok: false,
-		configInitExitCode: initRes.status ?? void 0,
-		configInitStdout,
-		configInitStderr,
-		error: `lark-cli config init exited with code ${initRes.status}`
-	};
-	appendPeToAgentsMd(agentsMdPath);
-	return {
-		ok: true,
-		configInitExitCode: 0,
-		agentsMdPath
-	};
 }
 //#endregion
 //#region ../../openclaw-slardar/lib/client.js
@@ -6901,60 +6837,6 @@ function mergeCoreBackupAndOrigins(configPath, vars, resetData, log) {
 	log(`allowedOrigins: added ${added.length} (${JSON.stringify(added)}), total now ${mergedOrigins.length}`);
 }
 /**
-* Fix bot account allowFrom and appSecret using larkApps from innerApi.
-*
-* For each bot account (key starts with `bot-cli_`):
-*   - allowFrom must contain the bot's own creatorOpenID from larkApps
-*   - appSecret must be either the canonical provider-ref or match larkApps plaintext
-*
-* Runs after mergeCoreBackupAndOrigins so it operates on the final config state.
-*/
-function fixBotChannelConfig(configPath, larkApps, log) {
-	if (!larkApps || larkApps.length === 0) {
-		log("no larkApps data, skip bot channel config fix");
-		return;
-	}
-	const config = loadJSON5().parse(node_fs.default.readFileSync(configPath, "utf-8"));
-	const accounts = asRecord(getNestedMap(config, "channels", "feishu")?.accounts);
-	if (!accounts) {
-		log("no feishu accounts in config, skip bot channel config fix");
-		return;
-	}
-	let fixCount = 0;
-	for (const [, account] of Object.entries(accounts)) {
-		const bot = asRecord(account);
-		if (!bot) continue;
-		const appId = bot.appId;
-		if (typeof appId !== "string" || !appId.startsWith("cli_")) continue;
-		const larkApp = larkApps.find((e) => e.larkAppID === appId);
-		if (!larkApp) continue;
-		const creatorOpenID = larkApp.creatorOpenID;
-		if (typeof creatorOpenID === "string" && creatorOpenID !== "") {
-			const allowFrom = Array.isArray(bot.allowFrom) ? [...bot.allowFrom] : [];
-			if (!allowFrom.includes(creatorOpenID)) {
-				allowFrom.push(creatorOpenID);
-				bot.allowFrom = allowFrom;
-				fixCount++;
-			}
-		}
-		const secret = bot.appSecret;
-		let needsFix = false;
-		if (typeof secret === "object" && secret !== null && !Array.isArray(secret)) {
-			if (!matchMap(secret, DEFAULT_FEISHU_APP_SECRET)) needsFix = true;
-		} else if (typeof secret === "string") {
-			if (secret !== larkApp.appSecret) needsFix = true;
-		} else needsFix = true;
-		if (needsFix) {
-			bot.appSecret = { ...DEFAULT_FEISHU_APP_SECRET };
-			fixCount++;
-		}
-	}
-	if (fixCount > 0) {
-		node_fs.default.writeFileSync(configPath, JSON.stringify(config, null, 2), "utf-8");
-		log(`fixed ${fixCount} bot channel config issue(s) (allowFrom/appSecret)`);
-	} else log("bot channel config ok, no fixes needed");
-}
-/**
 * Step 7: Verify startup scripts landed in configDir/scripts/.
 *
 * Scripts are extracted directly to configDir/scripts/ during stageTemplate —
@@ -7099,7 +6981,6 @@ async function runReset(input, taskId, resultFile) {
 		await step5InstallOpenclaw(openclawTag, ossFileMap, log);
 		step(6);
 		mergeCoreBackupAndOrigins(configPath, vars, resetData, log);
-		fixBotChannelConfig(configPath, vars.larkApps, log);
 		step(7);
 		verifyStartupScripts(configDir, log);
 		step(8);
@@ -7898,8 +7779,7 @@ function normalizeCtx(raw) {
 			reset: {
 				templateVars: r.reset.templateVars ?? {},
 				coreBackup: r.reset.coreBackup
-			},
-			larkApps: Array.isArray(r.larkApps) ? r.larkApps : []
+			}
 		};
 	}
 	const vars = r.vars ?? {};
@@ -7924,8 +7804,7 @@ function normalizeCtx(raw) {
 		reset: {
 			templateVars: resetData.templateVars ?? {},
 			coreBackup: resetData.coreBackup
-		},
-		larkApps: Array.isArray(r.larkApps) ? r.larkApps : []
+		}
 	};
 }
 function fillApp(src) {
@@ -7990,8 +7869,7 @@ function buildCheckInput(raw, configPathOverride) {
 			providerFilePath: PROVIDER_FILE_PATH,
 			secretsFilePath: SECRETS_FILE_PATH,
 			templateVars: ctx.app.templateVars,
-			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag,
-			larkApps: ctx.larkApps
+			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag
 		},
 		templateVars: ctx.app.templateVars
 	};
@@ -8023,8 +7901,7 @@ function buildRepairInput(raw, configPathOverride) {
 			providerFilePath: PROVIDER_FILE_PATH,
 			secretsFilePath: SECRETS_FILE_PATH,
 			templateVars: ctx.app.templateVars,
-			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag,
-			larkApps: ctx.larkApps
+			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag
 		},
 		repairData: {
 			secretsContent: ctx.secrets.secretsContent,
@@ -8060,8 +7937,7 @@ function buildResetInput(raw, configPathOverride) {
 			providerFilePath: PROVIDER_FILE_PATH,
 			secretsFilePath: SECRETS_FILE_PATH,
 			templateVars: ctx.app.templateVars,
-			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag,
-			larkApps: ctx.larkApps
+			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag
 		},
 		resetData: {
 			templateVars: ctx.reset.templateVars,
@@ -10371,7 +10247,7 @@ async function reportCliRun(opts) {
 //#region src/help.ts
 const BIN = "mclaw-diagnose";
 function versionBanner() {
-	return `v0.1.14-alpha.11`;
+	return `v0.1.14-alpha.13`;
 }
 const COMMANDS = [
 	{
@@ -10475,12 +10351,16 @@ EXIT CODES
 		hidden: true,
 		summary: "Run rule-engine check only",
 		help: `USAGE
-  ${BIN} check
+  ${BIN} check [--ctx=<base64>]
 DESCRIPTION
   Runs the rule engine against the sandbox's current openclaw config and
-  returns { failedRules }. Ctx is fetched from innerapi automatically.
-  End-users should prefer \`doctor\`.
+  returns { failedRules }. Used by sandbox_console's push-style callers
+  that already own the ctx — end-users should prefer \`doctor\`.
+OPTIONS
+  --ctx=<base64>   Opaque ctx JSON (base64). When absent, fetched from
+                   innerapi (same path as doctor).
 `
 	},
 	{
@@ -10488,11 +10368,16 @@ DESCRIPTION
 		hidden: true,
 		summary: "Apply standard-mode repairs",
 		help: `USAGE
-  ${BIN} repair
+  ${BIN} repair [--ctx=<base64>]
 DESCRIPTION
-  Runs repair for the failing rules. Ctx is fetched from innerapi
-  automatically. End-users should use \`doctor --fix\` instead.
+  Runs repair for the failing rules listed inside the ctx's repairData.
+  Intended for sandbox_console's push path — end-users should use
+  \`doctor --fix\` instead.
+OPTIONS
+  --ctx=<base64>   Opaque ctx JSON (base64). When absent, fetched from
+                   innerapi.
 `
 	},
 	{
@@ -10500,15 +10385,14 @@ DESCRIPTION
 		hidden: true,
 		summary: "Re-initialize sandbox via the 9-step reset pipeline",
 		help: `USAGE
-  ${BIN} reset --async
-  ${BIN} reset --worker --task-id=<id>
+  ${BIN} reset --async  [--ctx=<base64>]
+  ${BIN} reset --worker --task-id=<id> [--ctx=<base64>]
 DESCRIPTION
   Two-phase pipeline driven asynchronously: the --async invocation spawns
   a detached worker and returns { taskId } immediately; the --worker
   invocation (spawned by --async) runs the actual 9 steps and writes
   progress to /tmp/openclaw-diagnose/reset-<taskId>.json.
-  Ctx is fetched from innerapi automatically.
   Poll progress with \`${BIN} get_reset_task --task-id=<id>\`.
@@ -10516,6 +10400,7 @@ OPTIONS
   --async           Start a detached worker and return taskId on stdout.
   --worker          Internal — run the 9-step pipeline (launched by --async).
   --task-id=<id>    Required with --worker; identifies the progress file.
+  --ctx=<base64>    Opaque ctx JSON; fetched from innerapi when absent.
 `
 	},
 	{
@@ -10538,7 +10423,7 @@ OPTIONS
 		hidden: true,
 		summary: "Download + install the openclaw tarball",
 		help: `USAGE
-  ${BIN} install-openclaw <tag> [--oss_file_map=<base64>]
+  ${BIN} install-openclaw <tag> [--ctx=<base64> | --oss_file_map=<base64>]
 DESCRIPTION
   Downloads the openclaw@<tag> tgz via the signed OSS URL found in the
@@ -10550,9 +10435,9 @@ ARGUMENTS
   <tag>                Openclaw version tag, e.g. 2026.4.11.
 OPTIONS
+  --ctx=<base64>       Opaque ctx; ossFileMap is extracted from it.
   --oss_file_map=...   Pre-built OSS URL map (base64 JSON); skips innerapi
-                       entirely. When absent, ossFileMap is fetched from
-                       innerapi automatically.
+                       entirely. Wins over --ctx when both provided.
 `
 	},
 	{
@@ -10578,7 +10463,8 @@ OPTIONS
   --home_base=<dir>    Override the /home/gem base (tests).
   --config_path=<p>    Override the openclaw.json path (tests).
   --skip-config-update Leave plugins.installs in openclaw.json untouched.
-  --oss_file_map=...   Pre-built OSS URL map (base64 JSON); skips innerapi.
+  --ctx=<base64>       Opaque ctx; see install-openclaw for semantics.
+  --oss_file_map=...   Pre-built OSS URL map (base64 JSON).
 `
 	},
 	{
@@ -10605,6 +10491,7 @@ OPTIONS
   --cli=<name>         CLI package to install by short name or scoped
                        packageName (repeatable, at least one required).
   --home_base=<dir>    Override the /home/gem base (tests).
+  --ctx=<base64>       Opaque ctx; ossFileMap is extracted from it.
   --oss_file_map=...   Pre-built OSS URL map (base64 JSON); skips innerapi.
 EXAMPLES
@@ -10711,7 +10598,8 @@ OPTIONS
   --role=<role>        Package role (e.g. template, config).
   --name=<name>        Package name within the role.
   --dir=<dir>          Target dir (defaults to dirname(pkg.installPath)).
-  --oss_file_map=...   Pre-built OSS URL map (base64 JSON); skips innerapi.
+  --ctx=<base64>       Opaque ctx; ossFileMap is extracted from it.
+  --oss_file_map=...   Pre-built OSS URL map (base64 JSON).
 `
 	}
 ];
@@ -10787,31 +10675,31 @@ function planVarsFields(opts = {}) {
 *
 * Per-command group needs:
 *
-*   doctor / check    app + larkApps
-*   repair            app + secrets + larkApps
-*   reset             app + secrets + install + reset + larkApps
+*   doctor / check    app (rule-driven)
+*   repair            app + secrets   (writes secretsContent / providerKeyContent)
+*   reset             app + secrets + install + reset (the works)
 *   install-*         install only
 *
 * Empty result (`{}`) means "no group needed" — the CLI can skip the
 * `fetchCtxViaInnerApi` call entirely and run with a synthetic empty ctx.
+* Happens e.g. when the user pinned `--rule=<key>` to a vars-free rule on
+* `doctor`.
 */
 function planCtxPopulate(opts) {
 	if (opts.command === "install") return { install: true };
 	const populate = {};
-	if (planVarsFields({
+	const appFields = planVarsFields({
 		disabled: opts.disabled,
 		onlyRules: opts.onlyRules,
 		profile: opts.profile
-	}).length > 0) populate.app = true;
-	if (opts.command === "repair") {
-		populate.secrets = true;
-		populate.larkApps = true;
-	} else if (opts.command === "reset") {
+	});
+	if (appFields.length > 0) populate.app = appFields;
+	if (opts.command === "repair") populate.secrets = true;
+	else if (opts.command === "reset") {
 		populate.secrets = true;
 		populate.install = true;
 		populate.reset = true;
-		populate.larkApps = true;
-	} else if (opts.command === "doctor" || opts.command === "check") populate.larkApps = true;
+	}
 	return populate;
 }
 //#endregion
@@ -10870,6 +10758,21 @@ function reportDoctorRunToSlardar(opts) {
 const args = node_process.default.argv.slice(2);
 const mode = args.find((a) => !a.startsWith("-"));
 /**
+* Decode `--ctx=<base64>` into an opaque JSON object. Returns undefined when
+* the flag isn't present — the caller decides whether to fall back to the
+* innerapi or to error out.
+*
+* The object's shape is not enforced here; downstream code consumes it via
+* either `normalizeCtx()` (new path) or direct field access for the legacy
+* check/repair/reset contract still used by sandbox_console push.
+*/
+function parseCtxFlag(args) {
+	const ctxArg = args.find((a) => a.startsWith("--ctx="));
+	if (!ctxArg) return void 0;
+	const b64 = ctxArg.slice(6);
+	return JSON.parse(Buffer.from(b64, "base64").toString("utf-8"));
+}
+/**
 * Pull the first non-flag positional after the mode name.
 * (The mode itself is args[0] in the filtered set, so we skip index 0.)
 */
@@ -10897,8 +10800,8 @@ function getMultiFlag(args, name) {
 * case but is no longer consulted.
 */
 async function reportRun(command, rc, _raw, invocation, durationMs, outcome, slardar = {
-	scene: void 0,
-	profile: "standard",
+	scene,
+	profile,
 	fix: false
 }) {
 	console.error(`${command}: telemetry calling report_cli_run`);
@@ -10962,7 +10865,7 @@ async function main() {
 	console.error(`${mode}: begin argv=[${args.join(" ")}] version=${getVersion()} traceId=${traceId ?? "-"} caller=${caller ?? "-"} runIdGenerated=${rc.generated}`);
 	switch (mode) {
 		case "check": {
-			const raw = await fetchCtxViaInnerApi({
+			const raw = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
 				populate: planCtxPopulate({
 					command: "check",
 					profile
@@ -10987,7 +10890,7 @@ async function main() {
 			break;
 		}
 		case "repair": {
-			const raw = await fetchCtxViaInnerApi({
+			const raw = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
 				populate: planCtxPopulate({
 					command: "repair",
 					profile
@@ -11058,15 +10961,27 @@ async function main() {
 			break;
 		}
 		case "reset":
-			if (args.includes("--async")) console.log(JSON.stringify(startAsyncReset()));
-			else if (args.includes("--worker")) {
+			if (args.includes("--async")) {
+				const ctxArg = args.find((a) => a.startsWith("--ctx="));
+				let ctxBase64;
+				if (ctxArg) ctxBase64 = ctxArg.slice(6);
+				else {
+					const fetched = await fetchCtxViaInnerApi({
+						populate: planCtxPopulate({ command: "reset" }),
+						caller,
+						traceId
+					});
+					ctxBase64 = Buffer.from(JSON.stringify(fetched), "utf-8").toString("base64");
+				}
+				console.log(JSON.stringify(startAsyncReset(ctxBase64)));
+			} else if (args.includes("--worker")) {
 				const taskId = args.find((a) => a.startsWith("--task-id="))?.slice(10);
 				if (!taskId) {
 					console.error("Error: --task-id=<id> is required for worker");
 					node_process.default.exit(1);
 				}
 				const resultFile = resetResultFile(taskId);
-				const raw = await fetchCtxViaInnerApi({
+				const raw = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
 					populate: planCtxPopulate({ command: "reset" }),
 					caller,
 					traceId
@@ -11090,7 +11005,7 @@ async function main() {
 					return;
 				}
 			} else {
-				console.error("Usage: reset --async | reset --worker --task-id=<id>");
+				console.error("Usage: reset --async [--ctx=<base64>] | reset --worker --task-id=<id> [--ctx=<base64>]");
 				node_process.default.exit(1);
 			}
 			break;
@@ -11106,14 +11021,14 @@ async function main() {
 		case "install-openclaw": {
 			const tag = getPositionalTag(args, "install-openclaw");
 			if (!tag) {
-				console.error("Usage: install-openclaw <tag> [--oss_file_map=<base64>]");
+				console.error("Usage: install-openclaw <tag> [--ctx=<base64> | --oss_file_map=<base64>]");
 				node_process.default.exit(1);
 			}
 			const ossFileMapFlag = getFlag(args, "oss_file_map");
 			let installOssFileMap;
 			let rawForTelemetry;
 			if (!ossFileMapFlag) {
-				rawForTelemetry = await fetchCtxViaInnerApi({
+				rawForTelemetry = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
 					populate: planCtxPopulate({ command: "install" }),
 					caller,
 					traceId
@@ -11148,7 +11063,7 @@ async function main() {
 		case "install-extension": {
 			const tag = getPositionalTag(args, "install-extension");
 			if (!tag) {
-				console.error("Usage: install-extension <tag> (--all | --extension=<name>...) [--home_base=<dir>] [--config_path=<path>] [--skip-config-update] [--oss_file_map=<base64>]");
+				console.error("Usage: install-extension <tag> (--all | --extension=<name>...) [--home_base=<dir>] [--config_path=<path>] [--skip-config-update] [--ctx=<base64> | --oss_file_map=<base64>]");
 				node_process.default.exit(1);
 			}
 			const all = args.includes("--all");
@@ -11160,7 +11075,7 @@ async function main() {
 			let installOssFileMap;
 			let rawForTelemetry;
 			if (!ossFileMapFlag) {
-				rawForTelemetry = await fetchCtxViaInnerApi({
+				rawForTelemetry = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
 					populate: planCtxPopulate({ command: "install" }),
 					caller,
 					traceId
@@ -11206,12 +11121,12 @@ async function main() {
 		case "install-cli": {
 			const tag = getPositionalTag(args, "install-cli");
 			if (!tag) {
-				console.error("Usage: install-cli <tag> --cli=<name>... [--home_base=<dir>] [--oss_file_map=<base64>]");
+				console.error("Usage: install-cli <tag> --cli=<name>... [--home_base=<dir>] [--ctx=<base64> | --oss_file_map=<base64>]");
 				node_process.default.exit(1);
 			}
 			const names = getMultiFlag(args, "cli");
 			if (names.length === 0) {
-				console.error("Usage: install-cli <tag> --cli=<name>... [--home_base=<dir>] [--oss_file_map=<base64>]");
+				console.error("Usage: install-cli <tag> --cli=<name>... [--home_base=<dir>] [--ctx=<base64> | --oss_file_map=<base64>]");
 				node_process.default.exit(1);
 			}
 			const homeBase = getFlag(args, "home_base");
@@ -11219,7 +11134,7 @@ async function main() {
 			let installOssFileMap;
 			let rawForTelemetry;
 			if (!ossFileMapFlag) {
-				rawForTelemetry = await fetchCtxViaInnerApi({
+				rawForTelemetry = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
 					populate: planCtxPopulate({ command: "install" }),
 					caller,
 					traceId
@@ -11267,7 +11182,7 @@ async function main() {
 		case "download-resource": {
 			const tag = getPositionalTag(args, "download-resource");
 			if (!tag) {
-				console.error("Usage: download-resource <tag> --role=<role> --name=<name> [--dir=<dir>] [--oss_file_map=<base64>]");
+				console.error("Usage: download-resource <tag> --role=<role> --name=<name> [--dir=<dir>] [--ctx=<base64> | --oss_file_map=<base64>]");
 				node_process.default.exit(1);
 			}
 			const role = getFlag(args, "role");
@@ -11281,7 +11196,7 @@ async function main() {
 			let installOssFileMap;
 			let rawForTelemetry;
 			if (!ossFileMapFlag) {
-				rawForTelemetry = await fetchCtxViaInnerApi({
+				rawForTelemetry = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
 					populate: planCtxPopulate({ command: "install" }),
 					caller,
 					traceId