npm - @lark-apaas/openclaw-scripts-diagnose-cli - Versions diffs - 0.1.4-alpha.0 → 0.1.4-alpha.1 - Mend

@lark-apaas/openclaw-scripts-diagnose-cli 0.1.4-alpha.0 → 0.1.4-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.cjs +1633 -433
package/package.json +3 -1

package/dist/index.cjs CHANGED Viewed

@@ -36,9 +36,26 @@ let node_os = require("node:os");
 node_os = __toESM(node_os);
 let node_stream = require("node:stream");
 let node_stream_promises = require("node:stream/promises");
+let _lark_apaas_http_client = require("@lark-apaas/http-client");
 let node_assert = require("node:assert");
 node_assert = __toESM(node_assert);
-let _lark_apaas_http_client = require("@lark-apaas/http-client");
+let json_diff = require("json-diff");
+//#region src/version.ts
+/**
+* Machine-readable identifier of the running CLI build.
+*
+*   prod build   → "0.1.3"               (the published semver)
+*   local-test   → "local-test@2026-04-28T12:30:11.123Z"
+*
+* Exists separately from `help.ts`'s `versionBanner()`, which is for human
+* display and includes prose like "(local test build, not a published
+* release)". This one goes into telemetry payloads and log slicing — keep
+* it terse and parseable.
+*/
+function getVersion() {
+	return "0.1.4-alpha.1";
+}
+//#endregion
 //#region src/rule-engine/base.ts
 /** Abstract base class for all diagnose rules */
 var DiagnoseRule = class {
@@ -415,7 +432,7 @@ let TemplateVarsUnreplacedRule = class TemplateVarsUnreplacedRule extends Diagno
 		};
 	}
 	repair(ctx) {
-		const map = ctx.templateVars;
+		const map = ctx.vars.templateVars;
 		if (!map || Object.keys(map).length === 0) return;
 		replaceInPlace(ctx.config, Object.entries(map));
 	}
@@ -423,7 +440,8 @@ let TemplateVarsUnreplacedRule = class TemplateVarsUnreplacedRule extends Diagno
 TemplateVarsUnreplacedRule = __decorate([Rule({
 	key: "template_vars_unreplaced",
 	dependsOn: ["config_syntax_check"],
-	repairMode: "standard"
+	repairMode: "standard",
+	usesVars: ["templateVars"]
 })], TemplateVarsUnreplacedRule);
 function collectPlaceholders(value, found) {
 	if (typeof value === "string") {
@@ -466,32 +484,33 @@ function applyVars(str, entries) {
 }
 //#endregion
 //#region src/rules/model-provider.ts
-var _ModelProviderRule;
-let ModelProviderRule = class ModelProviderRule extends DiagnoseRule {
-	static {
-		_ModelProviderRule = this;
-	}
-	static DEFAULT_API_KEY = {
-		source: "file",
-		provider: "miaoda-provider",
-		id: "value"
-	};
-	static DEFAULT_X_API_KEY_HEADER = {
-		source: "file",
-		provider: "miaoda-secret-provider",
-		id: "/models_providers_miaoda_headers_x_api_key"
+const DEFAULT_API_KEY = {
+	source: "file",
+	provider: "miaoda-provider",
+	id: "value"
+};
+const DEFAULT_X_API_KEY_HEADER = {
+	source: "file",
+	provider: "miaoda-secret-provider",
+	id: "/models_providers_miaoda_headers_x_api_key"
+};
+const DEFAULT_API = "openai-completions";
+function getExpected(vars) {
+	return {
+		baseUrl: vars.baseURL + "/api/v1/sgw/model/proxy",
+		apiKey: DEFAULT_API_KEY,
+		api: DEFAULT_API,
+		headers: { "x-api-key": DEFAULT_X_API_KEY_HEADER }
 	};
-	static DEFAULT_API = "openai-completions";
-	static getExpectedBaseUrl(vars) {
-		return vars.baseURL + "/api/v1/sgw/model/proxy";
-	}
+}
+let ModelProviderRule = class ModelProviderRule extends DiagnoseRule {
 	validate(ctx) {
 		const provider = getNestedMap(ctx.config, "models", "providers", "miaoda");
 		if (!provider) return {
 			pass: false,
 			message: "models.providers.miaoda not found"
 		};
-		const expected = this.getExpected(ctx.vars);
+		const expected = getExpected(ctx.vars);
 		if (provider.baseUrl !== expected.baseUrl) return {
 			pass: false,
 			message: "baseUrl mismatch: got " + provider.baseUrl + ", expected " + expected.baseUrl
@@ -539,7 +558,7 @@ let ModelProviderRule = class ModelProviderRule extends DiagnoseRule {
 		return { pass: true };
 	}
 	repair(ctx) {
-		const expected = this.getExpected(ctx.vars);
+		const expected = getExpected(ctx.vars);
 		setNestedValue(ctx.config, [
 			"models",
 			"providers",
@@ -565,19 +584,12 @@ let ModelProviderRule = class ModelProviderRule extends DiagnoseRule {
 			"headers"
 		], expected.headers);
 	}
-	getExpected(vars) {
-		return {
-			baseUrl: _ModelProviderRule.getExpectedBaseUrl(vars),
-			apiKey: _ModelProviderRule.DEFAULT_API_KEY,
-			api: _ModelProviderRule.DEFAULT_API,
-			headers: { "x-api-key": _ModelProviderRule.DEFAULT_X_API_KEY_HEADER }
-		};
-	}
 };
-ModelProviderRule = _ModelProviderRule = __decorate([Rule({
+ModelProviderRule = __decorate([Rule({
 	key: "model_provider",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
+	usesVars: ["innerAPIKey", "baseURL"],
 	skipWhen: ({ hasMiaoda }) => !hasMiaoda
 })], ModelProviderRule);
 //#endregion
@@ -707,7 +719,8 @@ let FeishuChannelRule = class FeishuChannelRule extends DiagnoseRule {
 FeishuChannelRule = __decorate([Rule({
 	key: "feishu_channel",
 	dependsOn: ["config_syntax_check", "feishu_default_account"],
-	repairMode: "standard"
+	repairMode: "standard",
+	usesVars: ["feishuAppID", "feishuAppSecret"]
 })], FeishuChannelRule);
 //#endregion
 //#region src/rules/feishu-default-account.ts
@@ -848,7 +861,8 @@ let FeishuDefaultAccountRule = class FeishuDefaultAccountRule extends DiagnoseRu
 FeishuDefaultAccountRule = __decorate([Rule({
 	key: "feishu_default_account",
 	dependsOn: ["config_syntax_check"],
-	repairMode: "standard"
+	repairMode: "standard",
+	usesVars: ["feishuAppID", "teamChatID"]
 })], FeishuDefaultAccountRule);
 function nonEmpty(v) {
 	return typeof v === "string" && v !== "" ? v : void 0;
@@ -879,23 +893,19 @@ function secretMatchesCanonical(secret) {
 }
 //#endregion
 //#region src/rules/gateway.ts
-var _GatewayRule;
+const DEFAULT_PORT = 18789;
+const DEFAULT_MODE = "local";
+const DEFAULT_BIND = "loopback";
+const DEFAULT_AUTH_MODE = "token";
+const DEFAULT_AUTH_TOKEN = {
+	source: "file",
+	provider: "miaoda-secret-provider",
+	id: "/gateway_auth_token"
+};
+/** Required entries in gateway.trustedProxies. Repair appends any missing
+*  entries while preserving caller-added extras (no overwrite). */
+const DEFAULT_TRUSTED_PROXIES = ["::1", "127.0.0.1"];
 let GatewayRule = class GatewayRule extends DiagnoseRule {
-	static {
-		_GatewayRule = this;
-	}
-	static DEFAULT_PORT = 18789;
-	static DEFAULT_MODE = "local";
-	static DEFAULT_BIND = "loopback";
-	static DEFAULT_AUTH_MODE = "token";
-	static DEFAULT_AUTH_TOKEN = {
-		source: "file",
-		provider: "miaoda-secret-provider",
-		id: "/gateway_auth_token"
-	};
-	/** Required entries in gateway.trustedProxies. Repair appends any missing
-	*  entries while preserving caller-added extras (no overwrite). */
-	static DEFAULT_TRUSTED_PROXIES = ["::1", "127.0.0.1"];
 	validate(ctx) {
 		const gateway = ctx.config.gateway;
 		if (!gateway || typeof gateway !== "object") return {
@@ -903,17 +913,17 @@ let GatewayRule = class GatewayRule extends DiagnoseRule {
 			message: "gateway not found"
 		};
 		const gw = gateway;
-		if (gw.port !== _GatewayRule.DEFAULT_PORT) return {
+		if (gw.port !== DEFAULT_PORT) return {
 			pass: false,
-			message: "gateway.port mismatch: got " + gw.port + ", expected " + _GatewayRule.DEFAULT_PORT
+			message: "gateway.port mismatch: got " + gw.port + ", expected 18789"
 		};
-		if (gw.mode !== _GatewayRule.DEFAULT_MODE) return {
+		if (gw.mode !== DEFAULT_MODE) return {
 			pass: false,
-			message: "gateway.mode mismatch: got " + gw.mode + ", expected " + _GatewayRule.DEFAULT_MODE
+			message: "gateway.mode mismatch: got " + gw.mode + ", expected local"
 		};
-		if (gw.bind !== _GatewayRule.DEFAULT_BIND) return {
+		if (gw.bind !== DEFAULT_BIND) return {
 			pass: false,
-			message: "gateway.bind mismatch: got " + gw.bind + ", expected " + _GatewayRule.DEFAULT_BIND
+			message: "gateway.bind mismatch: got " + gw.bind + ", expected loopback"
 		};
 		const auth = gw.auth;
 		if (!auth || typeof auth !== "object") return {
@@ -921,9 +931,9 @@ let GatewayRule = class GatewayRule extends DiagnoseRule {
 			message: "gateway.auth not found"
 		};
 		const authObj = auth;
-		if (authObj.mode !== _GatewayRule.DEFAULT_AUTH_MODE) return {
+		if (authObj.mode !== DEFAULT_AUTH_MODE) return {
 			pass: false,
-			message: "gateway.auth.mode mismatch: got " + authObj.mode + ", expected " + _GatewayRule.DEFAULT_AUTH_MODE
+			message: "gateway.auth.mode mismatch: got " + authObj.mode + ", expected token"
 		};
 		const token = authObj.token;
 		if (typeof token === "string") {
@@ -932,7 +942,7 @@ let GatewayRule = class GatewayRule extends DiagnoseRule {
 				message: "gateway.auth.token string value mismatch"
 			};
 		} else if (typeof token === "object" && token !== null && !Array.isArray(token)) {
-			if (!matchMap(token, _GatewayRule.DEFAULT_AUTH_TOKEN)) return {
+			if (!matchMap(token, DEFAULT_AUTH_TOKEN)) return {
 				pass: false,
 				message: "gateway.auth.token object mismatch: got " + JSON.stringify(token)
 			};
@@ -954,7 +964,7 @@ let GatewayRule = class GatewayRule extends DiagnoseRule {
 			pass: false,
 			message: "gateway.trustedProxies missing or not an array"
 		};
-		const missing = _GatewayRule.DEFAULT_TRUSTED_PROXIES.filter((p) => !proxies.includes(p));
+		const missing = DEFAULT_TRUSTED_PROXIES.filter((p) => !proxies.includes(p));
 		if (missing.length > 0) return {
 			pass: false,
 			message: "gateway.trustedProxies missing: " + JSON.stringify(missing)
@@ -962,19 +972,19 @@ let GatewayRule = class GatewayRule extends DiagnoseRule {
 		return { pass: true };
 	}
 	repair(ctx) {
-		setNestedValue(ctx.config, ["gateway", "port"], _GatewayRule.DEFAULT_PORT);
-		setNestedValue(ctx.config, ["gateway", "mode"], _GatewayRule.DEFAULT_MODE);
-		setNestedValue(ctx.config, ["gateway", "bind"], _GatewayRule.DEFAULT_BIND);
+		setNestedValue(ctx.config, ["gateway", "port"], DEFAULT_PORT);
+		setNestedValue(ctx.config, ["gateway", "mode"], DEFAULT_MODE);
+		setNestedValue(ctx.config, ["gateway", "bind"], DEFAULT_BIND);
 		setNestedValue(ctx.config, [
 			"gateway",
 			"auth",
 			"mode"
-		], _GatewayRule.DEFAULT_AUTH_MODE);
+		], DEFAULT_AUTH_MODE);
 		setNestedValue(ctx.config, [
 			"gateway",
 			"auth",
 			"token"
-		], _GatewayRule.DEFAULT_AUTH_TOKEN);
+		], DEFAULT_AUTH_TOKEN);
 		setNestedValue(ctx.config, [
 			"gateway",
 			"controlUi",
@@ -983,17 +993,18 @@ let GatewayRule = class GatewayRule extends DiagnoseRule {
 		const gw = ctx.config.gateway ?? {};
 		const current = Array.isArray(gw.trustedProxies) ? gw.trustedProxies.slice() : [];
 		const seen = new Set(current.map((v) => String(v)));
-		for (const p of _GatewayRule.DEFAULT_TRUSTED_PROXIES) if (!seen.has(p)) {
+		for (const p of DEFAULT_TRUSTED_PROXIES) if (!seen.has(p)) {
 			current.push(p);
 			seen.add(p);
 		}
 		setNestedValue(ctx.config, ["gateway", "trustedProxies"], current);
 	}
 };
-GatewayRule = _GatewayRule = __decorate([Rule({
+GatewayRule = __decorate([Rule({
 	key: "gateway",
 	dependsOn: ["config_syntax_check"],
-	repairMode: "standard"
+	repairMode: "standard",
+	usesVars: ["gatewayToken"]
 })], GatewayRule);
 //#endregion
 //#region src/rules/allowed-origins.ts
@@ -1037,7 +1048,8 @@ let AllowedOriginsRule = class AllowedOriginsRule extends DiagnoseRule {
 AllowedOriginsRule = __decorate([Rule({
 	key: "allowed_origins",
 	dependsOn: ["config_syntax_check"],
-	repairMode: "standard"
+	repairMode: "standard",
+	usesVars: ["expectedOrigins"]
 })], AllowedOriginsRule);
 function getExpectedOrigins(vars) {
 	return Array.isArray(vars.expectedOrigins) ? vars.expectedOrigins : [];
@@ -1116,11 +1128,12 @@ JwtTokenRule = __decorate([Rule({
 	key: "jwt_token",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
+	usesVars: ["providerFilePath"],
 	skipWhen: ({ hasMiaoda, deps }) => !hasMiaoda || !deps.usesMiaodaProvider
 })], JwtTokenRule);
 //#endregion
 //#region src/rules/secrets-file.ts
-let SecretsRule = class SecretsRule extends DiagnoseRule {
+let SecretsFileRule = class SecretsFileRule extends DiagnoseRule {
 	validate(ctx) {
 		const filePath = ctx.vars.secretsFilePath;
 		if (!filePath) return {
@@ -1167,12 +1180,18 @@ let SecretsRule = class SecretsRule extends DiagnoseRule {
 		};
 	}
 };
-SecretsRule = __decorate([Rule({
+SecretsFileRule = __decorate([Rule({
 	key: "secrets_file",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
+	usesVars: [
+		"secretsFilePath",
+		"feishuAppSecret",
+		"gatewayToken",
+		"innerAPIKey"
+	],
 	skipWhen: ({ hasMiaoda, deps }) => !hasMiaoda || !deps.usesMiaodaSecretProvider
-})], SecretsRule);
+})], SecretsFileRule);
 //#endregion
 //#region src/rules/cleanup-install-backup-dirs.ts
 const DIR_PREFIX = ".openclaw-install-";
@@ -1386,16 +1405,26 @@ function getAllow(config) {
 }
 //#endregion
 //#region src/check.ts
-function runCheck(input) {
+/** Telemetry-aware entry: returns both the legacy CheckResult (for stdout)
+*  AND a DoctorReport-shape payload (for `openclaw.report_cli_run`). The
+*  two views are computed from the same single rule-loop pass. */
+function runCheckWithReport(input) {
+	return runCheckImpl(input);
+}
+function runCheckImpl(input) {
+	const tStart = Date.now();
 	const result = { failedRules: {
 		standard: [],
 		ai: [],
 		reset: []
 	} };
+	const outcomes = [];
 	const disabledSet = new Set(input.disabledRules || []);
 	const rules = getAllRules();
 	const failedKeys = /* @__PURE__ */ new Set();
 	let configParsed = false;
+	let aborted = false;
+	console.error(`runCheck: begin configPath=${input.configPath} disabledRules=[${[...disabledSet].join(",")}] rules=${rules.length}`);
 	let ctx = {
 		config: {},
 		configPath: input.configPath,
@@ -1403,13 +1432,29 @@ function runCheck(input) {
 		providerDeps: {
 			usesMiaodaProvider: false,
 			usesMiaodaSecretProvider: false
-		},
-		templateVars: input.templateVars
+		}
 	};
 	for (const rule of rules) {
 		const meta = rule.meta;
-		if (disabledSet.has(meta.key)) continue;
-		if (meta.dependsOn?.some((dep) => failedKeys.has(dep))) continue;
+		if (disabledSet.has(meta.key)) {
+			console.error(`rule ${meta.key}: skipped reason=disabledRules`);
+			outcomes.push({
+				rule: meta.key,
+				status: "skipped",
+				message: "disabledRules"
+			});
+			continue;
+		}
+		if (meta.dependsOn?.some((dep) => failedKeys.has(dep))) {
+			const blockers = meta.dependsOn?.filter((d) => failedKeys.has(d)).join(",");
+			console.error(`rule ${meta.key}: skipped reason=dependsOn-failed blockers=${blockers}`);
+			outcomes.push({
+				rule: meta.key,
+				status: "skipped",
+				message: `dependsOn failed: ${blockers}`
+			});
+			continue;
+		}
 		if (meta.dependsOn?.includes("config_syntax_check") && !configParsed) try {
 			const parsed = loadJSON5().parse(readFile(input.configPath));
 			const deps = analyzeProviderDeps(parsed);
@@ -1417,11 +1462,17 @@ function runCheck(input) {
 				config: parsed,
 				configPath: input.configPath,
 				vars: input.vars,
-				providerDeps: deps,
-				templateVars: input.templateVars
+				providerDeps: deps
 			};
 			configParsed = true;
-		} catch {
+		} catch (e) {
+			console.error(`runCheck: config parse failed at ${meta.key} message=${e.message}`);
+			outcomes.push({
+				rule: meta.key,
+				status: "error",
+				message: "config parse failed: " + e.message
+			});
+			aborted = true;
 			break;
 		}
 		if (meta.skipWhen && configParsed) {
@@ -1429,15 +1480,53 @@ function runCheck(input) {
 			if (meta.skipWhen({
 				hasMiaoda,
 				deps: ctx.providerDeps
-			})) continue;
+			})) {
+				console.error(`rule ${meta.key}: skipped reason=skipWhen`);
+				outcomes.push({
+					rule: meta.key,
+					status: "skipped",
+					message: "skipWhen"
+				});
+				continue;
+			}
+		}
+		const t = Date.now();
+		let r;
+		try {
+			r = rule.validate(ctx);
+		} catch (e) {
+			const msg = e.message;
+			console.error(`rule ${meta.key}: validate -> error durationMs=${Date.now() - t} message=${msg}`);
+			outcomes.push({
+				rule: meta.key,
+				status: "error",
+				message: "validate threw: " + msg
+			});
+			failedKeys.add(meta.key);
+			continue;
 		}
-		const r = rule.validate(ctx);
-		if (!r.pass) {
+		if (r.pass) {
+			console.error(`rule ${meta.key}: validate -> pass durationMs=${Date.now() - t}`);
+			outcomes.push({
+				rule: meta.key,
+				status: "pass"
+			});
+		} else {
+			console.error(`rule ${meta.key}: validate -> failed durationMs=${Date.now() - t} message=${r.message ?? ""}`);
+			outcomes.push({
+				rule: meta.key,
+				status: "failed",
+				message: r.message
+			});
 			failedKeys.add(meta.key);
 			pushFailedRule(result, meta.repairMode, meta.key, r.message || "");
 		}
 	}
-	return result;
+	console.error(`runCheck: end totalMs=${Date.now() - tStart} failed={standard:${result.failedRules.standard.length},ai:${result.failedRules.ai.length},reset:${result.failedRules.reset.length}}`);
+	return {
+		legacy: result,
+		report: finalize$2(outcomes, aborted)
+	};
 }
 function pushFailedRule(result, repairMode, key, detail) {
 	switch (repairMode) {
@@ -1458,158 +1547,43 @@ function pushFailedRule(result, repairMode, key, detail) {
 			break;
 	}
 }
-//#endregion
-//#region src/repair.ts
-function runRepair(input) {
-	try {
-		const failedSet = new Set(input.failedRules || []);
-		const repairData = input.repairData || {};
-		const rules = getAllRules();
-		for (const rule of rules) {
-			if (!failedSet.has(rule.meta.key)) continue;
-			if (rule.meta.repairMode !== "standard") continue;
-			if (rule.meta.dependsOn?.includes("config_syntax_check")) continue;
-			rule.repair({
-				config: {},
-				configPath: input.configPath,
-				vars: input.vars,
-				providerDeps: {
-					usesMiaodaProvider: false,
-					usesMiaodaSecretProvider: false
-				},
-				templateVars: input.templateVars
-			});
-		}
-		const JSON5 = loadJSON5();
-		let config;
-		try {
-			config = JSON5.parse(readFile(input.configPath));
-		} catch (e) {
-			return {
-				success: false,
-				error: "cannot parse config for repair: " + e.message
-			};
-		}
-		const deps = analyzeProviderDeps(config);
-		const ctx = {
-			config,
-			configPath: input.configPath,
-			vars: input.vars,
-			providerDeps: deps,
-			templateVars: input.templateVars
-		};
-		let configDirty = false;
-		for (const rule of rules) {
-			if (!failedSet.has(rule.meta.key)) continue;
-			if (rule.meta.repairMode !== "standard") continue;
-			if (!rule.meta.dependsOn?.includes("config_syntax_check")) continue;
-			rule.repair(ctx);
-			configDirty = true;
-		}
-		if (configDirty) writeFile(input.configPath, JSON.stringify(config, null, 2));
-		if (repairData.secretsContent && input.vars.secretsFilePath) writeFile(input.vars.secretsFilePath, repairData.secretsContent);
-		if (repairData.providerKeyContent && input.vars.providerFilePath) writeFile(input.vars.providerFilePath, repairData.providerKeyContent);
-		if (repairData.restartCommand) try {
-			shell(repairData.restartCommand, 3e4);
-		} catch (e) {
-			return {
-				success: false,
-				error: "restart command failed: " + e.message
-			};
-		}
-		return { success: true };
-	} catch (e) {
-		return {
-			success: false,
-			error: "repair failed: " + e.message
-		};
-	}
-}
-//#endregion
-//#region src/paths.ts
-/**
-* Central directory for all ephemeral diagnose/reset artifacts: task status
-* files (`reset-<taskId>.json`) and human-readable step logs
-* (`reset-<taskId>.log`). Having everything under one dir makes debugging a
-* stuck reset much easier — `ls /tmp/openclaw-diagnose/` shows every recent
-* run, and each run's log is right next to its state.
-*/
-const DIAGNOSE_DIR = "/tmp/openclaw-diagnose";
-function resetResultFile(taskId) {
-	return `${DIAGNOSE_DIR}/reset-${taskId}.json`;
-}
-function resetLogFile(taskId) {
-	return `${DIAGNOSE_DIR}/reset-${taskId}.log`;
-}
-/** Sandbox workspace root where openclaw config + agent state lives. */
-const WORKSPACE_DIR = "/home/gem/workspace/agent";
-/** File containing the provider key used by the openclaw miaoda provider. */
-const PROVIDER_FILE_PATH = "/home/gem/workspace/.force/openclaw/miaoda-provider-key";
-/** File containing the miaoda openclaw secrets JSON. */
-const SECRETS_FILE_PATH = "/home/gem/workspace/.force/openclaw/miaoda-openclaw-secrets.json";
-/** Absolute path to the openclaw config JSON. */
-const CONFIG_PATH = `${WORKSPACE_DIR}/openclaw.json`;
-//#endregion
-//#region src/logger.ts
-/**
-* Shared CLI log file. Every log line the CLI emits — whether through
-* `console.error` (rules, helpers, errors) or through the per-task
-* `makeLogger` (reset worker) — is tee'd here so operators have a single
-* file to tail when diagnosing a sandbox.
-*
-* `/tmp` is ephemeral on sandbox restart; we rely on that for rotation
-* (no size-based rotation implemented).
-*/
-const CLI_LOG_FILE = "/tmp/openclaw-diagnose/cli.log";
-/** Append one line to the shared cli.log. Swallows any fs error —
-*  logging must never break the business flow. */
-function appendCliLog(line) {
-	try {
-		const dir = node_path.default.dirname(CLI_LOG_FILE);
-		if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
-		node_fs.default.appendFileSync(CLI_LOG_FILE, line);
-	} catch {}
-}
-let stderrMirrorInstalled = false;
-/**
-* Install a process-wide `console.error` interceptor that mirrors each
-* line to BOTH the original stderr AND cli.log. Call once at CLI entry
-* before any subcommand dispatch; idempotent.
-*
-* Why console.error and not console.log: the CLI's stdout carries the
-* structured JSON result protocol consumed by sandbox_console and other
-* callers — any log line on stdout would corrupt JSON parsing. Rules,
-* helpers, and error paths therefore must route debug output through
-* console.error (stderr).
-*/
-function installStderrMirror() {
-	if (stderrMirrorInstalled) return;
-	stderrMirrorInstalled = true;
-	const original = console.error.bind(console);
-	console.error = (...args) => {
-		original(...args);
-		const body = args.map((a) => typeof a === "string" ? a : safeStringify(a)).join(" ");
-		appendCliLog(`[${(/* @__PURE__ */ new Date()).toISOString()}] ${body}\n`);
+function finalize$2(results, aborted) {
+	const summary = {
+		pass: 0,
+		failed: 0,
+		fixed: 0,
+		stillBroken: 0,
+		skipped: 0,
+		error: 0,
+		unknown: 0
 	};
-}
-function safeStringify(v) {
-	try {
-		return JSON.stringify(v);
-	} catch {
-		return String(v);
+	for (const r of results) switch (r.status) {
+		case "pass":
+			summary.pass++;
+			break;
+		case "failed":
+			summary.failed++;
+			break;
+		case "fixed":
+			summary.fixed++;
+			break;
+		case "still-broken":
+			summary.stillBroken++;
+			break;
+		case "skipped":
+			summary.skipped++;
+			break;
+		case "error":
+			summary.error++;
+			break;
+		case "unknown":
+			summary.unknown++;
+			break;
 	}
-}
-function makeLogger(logFile) {
-	try {
-		const dir = node_path.default.dirname(logFile);
-		if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
-	} catch {}
-	return (msg) => {
-		const line = `[${(/* @__PURE__ */ new Date()).toISOString()}] ${msg}\n`;
-		try {
-			node_fs.default.appendFileSync(logFile, line);
-		} catch {}
-		appendCliLog(line);
+	return {
+		results,
+		summary,
+		aborted
 	};
 }
 //#endregion
@@ -1673,6 +1647,40 @@ function shellQuote(s) {
 	return `'${s.replace(/'/g, `'\\''`)}'`;
 }
 /**
+* Snapshot the current `openclaw.json` to `<configPath>.<YYYYMMDD_HHMMSS>.bak`
+* before a repair / fix flow rewrites it. Local-time stamp matches the
+* shell-style backup convention (`cp openclaw.json openclaw.json.$(date
+* +%Y%m%d_%H%M%S).bak`) so operators triaging on the sandbox see the
+* familiar filename pattern.
+*
+* Returns the absolute backup path on success, or `null` when:
+*   - source doesn't exist (first-time setup; nothing to back up)
+*   - copy fails for any reason (disk full, permission denied, etc.)
+*
+* Failure is logged to cli.log via console.error and swallowed — the
+* caller's repair/fix work goes ahead either way. The backup is a safety
+* net, not a correctness gate; better to do the repair than refuse over
+* a missing rollback file.
+*/
+function backupConfigSync(configPath) {
+	if (!node_fs.default.existsSync(configPath)) {
+		console.error(`backupConfigSync: skip — source missing path=${configPath}`);
+		return null;
+	}
+	const d = /* @__PURE__ */ new Date();
+	const pad = (n) => String(n).padStart(2, "0");
+	const backupPath = `${configPath}.${`${d.getFullYear()}${pad(d.getMonth() + 1)}${pad(d.getDate())}_${pad(d.getHours())}${pad(d.getMinutes())}${pad(d.getSeconds())}`}.bak`;
+	try {
+		node_fs.default.copyFileSync(configPath, backupPath);
+		const bytes = node_fs.default.statSync(backupPath).size;
+		console.error(`backupConfigSync: ok src=${configPath} dst=${backupPath} bytes=${bytes}`);
+		return backupPath;
+	} catch (e) {
+		console.error(`backupConfigSync: failed src=${configPath} message=${e.message}`);
+		return null;
+	}
+}
+/**
 * Extract an npm-packed gzipped tarball.
 *
 * ## The problem this works around
@@ -1746,59 +1754,510 @@ function extractTarballTolerant(tarball, destDir, opts = {}) {
 	}
 }
 //#endregion
-//#region src/reset-async.ts
-/**
-* Start an async reset task: spawn a detached child process and return the taskId.
-*
-* The child process runs: node cli.js reset --worker --task-id=xxx --ctx=base64
-*/
-function startAsyncReset(ctxBase64) {
-	const taskId = (0, node_crypto.randomUUID)();
-	const resultFile = resetResultFile(taskId);
-	const log = makeLogger(resetLogFile(taskId));
-	log(`=== startAsyncReset spawning worker for taskId=${taskId} ===`);
-	const initial = {
-		status: "running",
-		step: 0,
-		totalSteps: 9,
-		progress: "初始化...",
-		startedAt: (/* @__PURE__ */ new Date()).toISOString()
-	};
-	const tmpPath = resultFile + ".tmp";
-	const dir = node_path.default.dirname(resultFile);
-	if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
-	node_fs.default.writeFileSync(tmpPath, JSON.stringify(initial), "utf-8");
-	moveSafe(tmpPath, resultFile);
-	const child = (0, node_child_process.spawn)(process.execPath, [
-		process.argv[1],
-		"reset",
-		"--worker",
-		`--task-id=${taskId}`,
-		`--ctx=${ctxBase64}`
-	], {
-		detached: true,
-		stdio: "ignore"
-	});
-	child.on("error", (err) => {
-		log(`FATAL worker failed to start: ${err.message}`);
-		const failResult = {
-			status: "failed",
-			step: 0,
-			totalSteps: 9,
-			progress: "Worker process failed to start",
-			error: err.message,
-			startedAt: initial.startedAt,
-			completedAt: (/* @__PURE__ */ new Date()).toISOString()
-		};
-		const errTmpPath = resultFile + ".tmp";
-		node_fs.default.writeFileSync(errTmpPath, JSON.stringify(failResult));
-		moveSafe(errTmpPath, resultFile);
-	});
-	child.unref();
-	log(`spawned worker pid=${child.pid}`);
+//#region src/repair.ts
+/** Telemetry-aware entry. Same per-rule pass + side effects, but also
+*  builds a `DoctorReport`-shape payload from per-rule revalidate
+*  outcomes (`fixed` / `still-broken` / `error`) so `report_cli_run`
+*  carries the same shape doctor produces. */
+function runRepairWithReport(input) {
+	return runRepairImpl(input);
+}
+function runRepairImpl(input) {
+	const tStart = Date.now();
+	console.error(`runRepair: begin configPath=${input.configPath} failedRules=[${(input.failedRules ?? []).join(",")}]`);
+	const outcomes = [];
+	let aborted = false;
+	let legacy = { success: true };
+	try {
+		const failedSet = new Set(input.failedRules || []);
+		const repairData = input.repairData || {};
+		const rules = getAllRules();
+		const phase1Ctx = {
+			config: {},
+			configPath: input.configPath,
+			vars: input.vars,
+			providerDeps: {
+				usesMiaodaProvider: false,
+				usesMiaodaSecretProvider: false
+			}
+		};
+		for (const rule of rules) {
+			if (!failedSet.has(rule.meta.key)) continue;
+			if (rule.meta.repairMode !== "standard") continue;
+			if (rule.meta.dependsOn?.includes("config_syntax_check")) continue;
+			const tRepair = Date.now();
+			try {
+				rule.repair(phase1Ctx);
+			} catch (e) {
+				const msg = e.message;
+				console.error(`rule ${rule.meta.key}: repair (phase1) -> error durationMs=${Date.now() - tRepair} message=${msg}`);
+				outcomes.push({
+					rule: rule.meta.key,
+					status: "error",
+					message: "repair threw: " + msg
+				});
+				aborted = true;
+				continue;
+			}
+			console.error(`rule ${rule.meta.key}: repair (phase1) -> ok durationMs=${Date.now() - tRepair}`);
+			const tRev = Date.now();
+			try {
+				const v = rule.validate(phase1Ctx);
+				if (v.pass) {
+					console.error(`rule ${rule.meta.key}: revalidate (phase1) -> pass (fixed) durationMs=${Date.now() - tRev}`);
+					outcomes.push({
+						rule: rule.meta.key,
+						status: "fixed"
+					});
+				} else {
+					console.error(`rule ${rule.meta.key}: revalidate (phase1) -> still-broken durationMs=${Date.now() - tRev} after=${v.message ?? ""}`);
+					outcomes.push({
+						rule: rule.meta.key,
+						status: "still-broken",
+						after: v.message
+					});
+				}
+			} catch (e) {
+				const msg = e.message;
+				console.error(`rule ${rule.meta.key}: revalidate (phase1) -> error durationMs=${Date.now() - tRev} message=${msg}`);
+				outcomes.push({
+					rule: rule.meta.key,
+					status: "error",
+					message: "post-repair validate threw: " + msg
+				});
+				aborted = true;
+			}
+		}
+		const JSON5 = loadJSON5();
+		let config;
+		try {
+			config = JSON5.parse(readFile(input.configPath));
+		} catch (e) {
+			const msg = e.message;
+			console.error(`runRepair: config parse failed message=${msg}`);
+			outcomes.push({
+				rule: "config_syntax_check",
+				status: "error",
+				message: "config parse failed: " + msg
+			});
+			legacy = {
+				success: false,
+				error: "cannot parse config for repair: " + msg
+			};
+			return {
+				legacy,
+				report: finalize$1(outcomes, true)
+			};
+		}
+		const deps = analyzeProviderDeps(config);
+		const ctx = {
+			config,
+			configPath: input.configPath,
+			vars: input.vars,
+			providerDeps: deps
+		};
+		let configDirty = false;
+		for (const rule of rules) {
+			if (!failedSet.has(rule.meta.key)) continue;
+			if (rule.meta.repairMode !== "standard") continue;
+			if (!rule.meta.dependsOn?.includes("config_syntax_check")) continue;
+			const tRepair = Date.now();
+			try {
+				rule.repair(ctx);
+			} catch (e) {
+				const msg = e.message;
+				console.error(`rule ${rule.meta.key}: repair (phase2) -> error durationMs=${Date.now() - tRepair} message=${msg}`);
+				outcomes.push({
+					rule: rule.meta.key,
+					status: "error",
+					message: "repair threw: " + msg
+				});
+				aborted = true;
+				continue;
+			}
+			console.error(`rule ${rule.meta.key}: repair (phase2) -> ok durationMs=${Date.now() - tRepair}`);
+			configDirty = true;
+			const tRev = Date.now();
+			try {
+				const v = rule.validate(ctx);
+				if (v.pass) {
+					console.error(`rule ${rule.meta.key}: revalidate (phase2) -> pass (fixed) durationMs=${Date.now() - tRev}`);
+					outcomes.push({
+						rule: rule.meta.key,
+						status: "fixed"
+					});
+				} else {
+					console.error(`rule ${rule.meta.key}: revalidate (phase2) -> still-broken durationMs=${Date.now() - tRev} after=${v.message ?? ""}`);
+					outcomes.push({
+						rule: rule.meta.key,
+						status: "still-broken",
+						after: v.message
+					});
+				}
+			} catch (e) {
+				const msg = e.message;
+				console.error(`rule ${rule.meta.key}: revalidate (phase2) -> error durationMs=${Date.now() - tRev} message=${msg}`);
+				outcomes.push({
+					rule: rule.meta.key,
+					status: "error",
+					message: "post-repair validate threw: " + msg
+				});
+				aborted = true;
+			}
+		}
+		if (configDirty) {
+			backupConfigSync(input.configPath);
+			const serialized = JSON.stringify(config, null, 2);
+			writeFile(input.configPath, serialized);
+			console.error(`runRepair: config writeback ok path=${input.configPath} bytes=${serialized.length}`);
+		}
+		if (repairData.secretsContent && input.vars.secretsFilePath) {
+			writeFile(input.vars.secretsFilePath, repairData.secretsContent);
+			console.error(`runRepair: secrets writeback ok path=${input.vars.secretsFilePath} bytes=${repairData.secretsContent.length}`);
+		}
+		if (repairData.providerKeyContent && input.vars.providerFilePath) {
+			writeFile(input.vars.providerFilePath, repairData.providerKeyContent);
+			console.error(`runRepair: provider key writeback ok path=${input.vars.providerFilePath} bytes=${repairData.providerKeyContent.length}`);
+		}
+		if (repairData.restartCommand) {
+			const t = Date.now();
+			try {
+				console.error(`runRepair: restart begin cmd=${JSON.stringify(repairData.restartCommand)}`);
+				shell(repairData.restartCommand, 3e4);
+				console.error(`runRepair: restart ok durationMs=${Date.now() - t}`);
+			} catch (e) {
+				const msg = e.message;
+				console.error(`runRepair: restart failed durationMs=${Date.now() - t} message=${msg}`);
+				legacy = {
+					success: false,
+					error: "restart command failed: " + msg
+				};
+				return {
+					legacy,
+					report: finalize$1(outcomes, true)
+				};
+			}
+		}
+		console.error(`runRepair: end success=true totalMs=${Date.now() - tStart}`);
+		legacy = { success: true };
+		return {
+			legacy,
+			report: finalize$1(outcomes, aborted)
+		};
+	} catch (e) {
+		const msg = e.message;
+		console.error(`runRepair: end success=false totalMs=${Date.now() - tStart} message=${msg}`);
+		legacy = {
+			success: false,
+			error: "repair failed: " + msg
+		};
+		return {
+			legacy,
+			report: finalize$1(outcomes, true)
+		};
+	}
+}
+function finalize$1(results, aborted) {
+	const summary = {
+		pass: 0,
+		failed: 0,
+		fixed: 0,
+		stillBroken: 0,
+		skipped: 0,
+		error: 0,
+		unknown: 0
+	};
+	for (const r of results) switch (r.status) {
+		case "pass":
+			summary.pass++;
+			break;
+		case "failed":
+			summary.failed++;
+			break;
+		case "fixed":
+			summary.fixed++;
+			break;
+		case "still-broken":
+			summary.stillBroken++;
+			break;
+		case "skipped":
+			summary.skipped++;
+			break;
+		case "error":
+			summary.error++;
+			break;
+		case "unknown":
+			summary.unknown++;
+			break;
+	}
+	return {
+		results,
+		summary,
+		aborted
+	};
+}
+//#endregion
+//#region src/paths.ts
+/**
+* Central directory for all ephemeral diagnose/reset artifacts: task status
+* files (`reset-<taskId>.json`) and human-readable step logs
+* (`reset-<taskId>.log`). Having everything under one dir makes debugging a
+* stuck reset much easier — `ls /tmp/openclaw-diagnose/` shows every recent
+* run, and each run's log is right next to its state.
+*/
+const DIAGNOSE_DIR = "/tmp/openclaw-diagnose";
+function resetResultFile(taskId) {
+	return `${DIAGNOSE_DIR}/reset-${taskId}.json`;
+}
+function resetLogFile(taskId) {
+	return `${DIAGNOSE_DIR}/reset-${taskId}.log`;
+}
+/** Sandbox workspace root where openclaw config + agent state lives. */
+const WORKSPACE_DIR = "/home/gem/workspace/agent";
+/** File containing the provider key used by the openclaw miaoda provider. */
+const PROVIDER_FILE_PATH = "/home/gem/workspace/.force/openclaw/miaoda-provider-key";
+/** File containing the miaoda openclaw secrets JSON. */
+const SECRETS_FILE_PATH = "/home/gem/workspace/.force/openclaw/miaoda-openclaw-secrets.json";
+/** Absolute path to the openclaw config JSON. */
+const CONFIG_PATH = `${WORKSPACE_DIR}/openclaw.json`;
+//#endregion
+//#region src/run-log.ts
+let currentRunContext;
+/**
+* Install the run context for this CLI execution. Must be called once at
+* the top of `main()` before any subcommand work; idempotent (last call
+* wins, but `main` only calls it once).
+*
+* Resolution order for `runId`:
+*   1. `OPENCLAW_RUN_ID` env var — set by a parent CLI process (e.g. the
+*      `reset --async` dispatcher exports it before spawning the worker)
+*      so cli.log lines for both processes carry the same `[run=...]`
+*      tag. Any non-empty value is honoured verbatim.
+*   2. `--trace-id=<id>` flag — caller-supplied upstream trace id.
+*   3. Generated locally as `gen-<8 hex>`.
+*
+* Safe to call without any input — runId falls through to the generated
+* branch and both metadata fields stay undefined.
+*/
+function setRunContext(opts) {
+	const inherited = process.env.OPENCLAW_RUN_ID;
+	if (inherited && inherited !== "") currentRunContext = {
+		runId: inherited,
+		caller: opts.caller,
+		traceId: opts.traceId,
+		generated: false
+	};
+	else if (opts.traceId) currentRunContext = {
+		runId: opts.traceId,
+		caller: opts.caller,
+		traceId: opts.traceId,
+		generated: false
+	};
+	else currentRunContext = {
+		runId: "gen-" + (0, node_crypto.randomBytes)(4).toString("hex"),
+		caller: opts.caller,
+		traceId: void 0,
+		generated: true
+	};
+	return currentRunContext;
+}
+function getRunContext() {
+	return currentRunContext;
+}
+/**
+* Format the run-scope tag the stderr mirror injects into cli.log lines.
+* Empty string when no context is set (mirror falls back to plain
+* timestamped lines, preserving pre-context startup logging).
+*/
+function runTag(rc = currentRunContext) {
+	if (!rc) return "";
+	const parts = [`run=${rc.runId}`];
+	if (rc.caller) parts.push(`caller=${rc.caller}`);
+	return `[${parts.join(" ")}]`;
+}
+//#endregion
+//#region src/logger.ts
+/**
+* Shared CLI log file. Every log line the CLI emits — whether through
+* `console.error` (rules, helpers, errors) or through the per-task
+* `makeLogger` (reset worker) — is tee'd here so operators have a single
+* file to tail when diagnosing a sandbox.
+*
+* `/tmp` is ephemeral on sandbox restart; we rely on that for rotation
+* (no size-based rotation implemented).
+*/
+const CLI_LOG_FILE = "/tmp/openclaw-diagnose/cli.log";
+/** Append one line to the shared cli.log. Swallows any fs error —
+*  logging must never break the business flow. */
+function appendCliLog(line) {
+	try {
+		const dir = node_path.default.dirname(CLI_LOG_FILE);
+		if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
+		node_fs.default.appendFileSync(CLI_LOG_FILE, line);
+	} catch {}
+}
+let stderrMirrorInstalled = false;
+/**
+* Install a process-wide `console.error` interceptor. Always tees each
+* line to cli.log; the stderr passthrough is opt-in via `stderrEnabled`.
+*
+* Default (`stderrEnabled: false`): the terminal sees ONLY this command's
+* stdout (typically a single JSON result line). Lifecycle / progress /
+* error logs are fully captured in `/tmp/openclaw-diagnose/cli.log`,
+* which is the canonical debugging surface and already carries
+* timestamps and `[run=...]` tags.
+*
+* Verbose (`stderrEnabled: true`, opt in with the top-level `-x` flag):
+* lifecycle logs also stream to stderr in real time. Useful when
+* iterating on a single sandbox.
+*
+* Idempotent: calling twice is a no-op (first install wins). Tests that
+* need to swap mode should call `resetStderrMirrorForTests()` first.
+*
+* Why console.error (and not console.log): the CLI's stdout carries the
+* structured JSON result protocol consumed by sandbox_console and other
+* callers — any log line on stdout would corrupt JSON parsing.
+*/
+function installStderrMirror(opts = {}) {
+	if (stderrMirrorInstalled) return;
+	stderrMirrorInstalled = true;
+	const stderrEnabled = opts.stderrEnabled ?? false;
+	const original = console.error.bind(console);
+	console.error = (...args) => {
+		if (stderrEnabled) original(...args);
+		const body = args.map((a) => typeof a === "string" ? a : safeStringify(a)).join(" ");
+		const tag = runTag();
+		appendCliLog(`[${(/* @__PURE__ */ new Date()).toISOString()}]${tag ? ` ${tag}` : ""} ${body}\n`);
+	};
+}
+function safeStringify(v) {
+	try {
+		return JSON.stringify(v);
+	} catch {
+		return String(v);
+	}
+}
+function makeLogger(logFile) {
+	try {
+		const dir = node_path.default.dirname(logFile);
+		if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
+	} catch {}
+	return (msg) => {
+		const tag = runTag();
+		const line = `[${(/* @__PURE__ */ new Date()).toISOString()}]${tag ? ` ${tag}` : ""} ${msg}\n`;
+		try {
+			node_fs.default.appendFileSync(logFile, line);
+		} catch {}
+		appendCliLog(line);
+	};
+}
+//#endregion
+//#region src/reset-async.ts
+/**
+* Start an async reset task: spawn a detached child process and return the taskId.
+*
+* The child process runs: node cli.js reset --worker --task-id=xxx --ctx=base64
+*/
+function startAsyncReset(ctxBase64) {
+	const taskId = (0, node_crypto.randomUUID)();
+	const resultFile = resetResultFile(taskId);
+	const log = makeLogger(resetLogFile(taskId));
+	log(`=== startAsyncReset spawning worker for taskId=${taskId} ===`);
+	const initial = {
+		status: "running",
+		step: 0,
+		totalSteps: 9,
+		progress: "初始化...",
+		startedAt: (/* @__PURE__ */ new Date()).toISOString()
+	};
+	const tmpPath = resultFile + ".tmp";
+	const dir = node_path.default.dirname(resultFile);
+	if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
+	node_fs.default.writeFileSync(tmpPath, JSON.stringify(initial), "utf-8");
+	moveSafe(tmpPath, resultFile);
+	const rc = getRunContext();
+	const childEnv = { ...process.env };
+	if (rc?.runId) childEnv.OPENCLAW_RUN_ID = rc.runId;
+	const child = (0, node_child_process.spawn)(process.execPath, [
+		process.argv[1],
+		"reset",
+		"--worker",
+		`--task-id=${taskId}`,
+		`--ctx=${ctxBase64}`
+	], {
+		detached: true,
+		stdio: "ignore",
+		env: childEnv
+	});
+	child.on("error", (err) => {
+		log(`FATAL worker failed to start: ${err.message}`);
+		const failResult = {
+			status: "failed",
+			step: 0,
+			totalSteps: 9,
+			progress: "Worker process failed to start",
+			error: err.message,
+			startedAt: initial.startedAt,
+			completedAt: (/* @__PURE__ */ new Date()).toISOString()
+		};
+		const errTmpPath = resultFile + ".tmp";
+		node_fs.default.writeFileSync(errTmpPath, JSON.stringify(failResult));
+		moveSafe(errTmpPath, resultFile);
+	});
+	child.unref();
+	log(`spawned worker pid=${child.pid}`);
 	return { taskId };
 }
 //#endregion
+//#region src/oss/fetchWithDiag.ts
+async function fetchWithDiag(url, opts = {}) {
+	const label = opts.label ?? originOf(url);
+	const timeoutMs = opts.timeoutMs ?? 3e4;
+	const start = Date.now();
+	const ac = new AbortController();
+	const timer = timeoutMs > 0 && Number.isFinite(timeoutMs) ? setTimeout(() => ac.abort(), timeoutMs) : void 0;
+	try {
+		return await fetch(url, { signal: ac.signal });
+	} catch (e) {
+		const durationMs = Date.now() - start;
+		const causeStr = e.name === "AbortError" || ac.signal.aborted && timeoutMs > 0 ? `request aborted after ${timeoutMs}ms (timeout)` : describeCause(e.cause) || e.message;
+		throw new Error(`fetch ${label} failed: ${causeStr} (url=${redactUrl(url)} durationMs=${durationMs})`);
+	} finally {
+		if (timer) clearTimeout(timer);
+	}
+}
+/** Walk the Error.cause chain and produce a single-line summary like
+*  `ENOTFOUND getaddrinfo ENOTFOUND oss.example.com`. */
+function describeCause(c, depth = 0) {
+	if (!c || depth > 3) return "";
+	if (c instanceof Error) {
+		const code = c.code;
+		const head = code ? `${code} ${c.message}` : c.message;
+		const inner = describeCause(c.cause, depth + 1);
+		return inner ? `${head} <- ${inner}` : head;
+	}
+	return String(c);
+}
+/** Strip query string — OSS signed URLs put the auth token there. Keeps
+*  protocol/host/path so the operator can tell *which* OSS bucket / object
+*  was being fetched. */
+function redactUrl(raw) {
+	try {
+		const u = new URL(raw);
+		const tail = u.search ? "?<redacted>" : "";
+		return `${u.protocol}//${u.host}${u.pathname}${tail}`;
+	} catch {
+		return "<invalid-url>";
+	}
+}
+function originOf(raw) {
+	try {
+		return new URL(raw).host;
+	} catch {
+		return "unknown-host";
+	}
+}
+//#endregion
 //#region src/oss/fetchManifest.ts
 const MANIFEST_PREFIX = "builtin/manifests/openclaw/recommended/";
 const MANIFEST_SUFFIX = ".json";
@@ -1810,10 +2269,24 @@ async function fetchManifest(ossFileMap, tag) {
 		const availStr = available.length ? available.join(", ") : "(none)";
 		throw new Error(`manifest signed URL missing for tag "${tag}" (key ${key}). Available tags in ossFileMap: ${availStr}. Either pass an available tag or update the studio_server TCC openclaw_upgrade_config supported_versions.`);
 	}
-	const res = await fetch(url);
-	if (!res.ok) throw new Error(`fetch manifest failed: HTTP ${res.status} ${res.statusText}`);
+	const label = `openclaw manifest tag=${tag}`;
+	const res = await fetchWithDiag(url, { label });
+	if (!res.ok) {
+		const body = await readPreview(res);
+		throw new Error(`${label}: HTTP ${res.status} ${res.statusText}` + (body ? ` body=${body}` : ""));
+	}
 	return await res.json();
 }
+/** Best-effort body preview for HTTP-error diagnostics. OSS errors are
+*  XML; first 256 chars usually contain the <Code> + <Message> we care
+*  about. Failures here are swallowed (logging-only, not load-bearing). */
+async function readPreview(res) {
+	try {
+		return (await res.text()).slice(0, 256);
+	} catch {
+		return "";
+	}
+}
 async function downloadWithCache(pkg, ossFileMap, opts = {}) {
 	const cacheRoot = opts.cacheRoot ?? "/tmp/openclaw-diagnose/resources";
 	const shortHash = pkg.shasum.slice(0, 16);
@@ -1827,9 +2300,19 @@ async function downloadWithCache(pkg, ossFileMap, opts = {}) {
 	const expected = pkg.integrity.slice(7);
 	const tmpFile = node_path.default.join(destDir, `.tmp.${process.pid}.${node_crypto.default.randomBytes(4).toString("hex")}`);
 	try {
-		const res = await fetch(url);
-		if (!res.ok) throw new Error(`download failed: HTTP ${res.status}`);
-		if (!res.body) throw new Error(`download failed: empty body for ${pkg.ossKey}`);
+		const label = `download ${pkg.ossKey}`;
+		const res = await fetchWithDiag(url, {
+			label,
+			timeoutMs: 6e4
+		});
+		if (!res.ok) {
+			let preview = "";
+			try {
+				preview = (await res.text()).slice(0, 256);
+			} catch {}
+			throw new Error(`${label}: HTTP ${res.status} ${res.statusText}` + (preview ? ` body=${preview}` : ""));
+		}
+		if (!res.body) throw new Error(`${label}: empty body`);
 		const hasher = node_crypto.default.createHash("sha512");
 		const source = node_stream.Readable.fromWeb(res.body);
 		async function* teeAndHash(src) {
@@ -2354,16 +2837,6 @@ function writeSecretsAndRestart(vars, resetData, configDir, log) {
 		log(`restart.sh done in ${Date.now() - t}ms`);
 	} else log(`no restart.sh at ${restartScript}, skip`);
 }
-/**
-* Run the 9-step reset process. Called from the worker entry point.
-*
-* Each step is an independent function. The orchestrator handles progress
-* reporting, error handling, and process-level exception guards.
-*
-* Template assets (openclaw.json + scripts/) are downloaded from OSS into a
-* scratch dir via `stageTemplate` before step 1 — there is no bundled
-* `template/` directory at runtime any more.
-*/
 async function runReset(input, taskId, resultFile) {
 	const startedAt = (/* @__PURE__ */ new Date()).toISOString();
 	const { configPath, vars, resetData } = input;
@@ -2371,6 +2844,7 @@ async function runReset(input, taskId, resultFile) {
 	const stagedDir = node_path.default.join(DIAGNOSE_DIR, `reset-${taskId}-template`);
 	let currentStep = 0;
 	let stepStartedAt = Date.now();
+	const stepResults = [];
 	const log = makeLogger(resetLogFile(taskId));
 	log(`=== reset started, taskId=${taskId}, pid=${process.pid} ===`);
 	log(`configPath=${configPath}, configDir=${configDir}, stagedDir=${stagedDir}`);
@@ -2379,7 +2853,12 @@ async function runReset(input, taskId, resultFile) {
 		const err = "resetData.ossFileMap missing or empty";
 		log(`ERROR: ${err}`);
 		markFailed(resultFile, 0, err, startedAt);
-		process.exit(1);
+		return {
+			success: false,
+			steps: stepResults,
+			error: err,
+			failedStep: 0
+		};
 	}
 	let openclawTag;
 	if (resetData.openclawTag) openclawTag = resetData.openclawTag;
@@ -2389,7 +2868,12 @@ async function runReset(input, taskId, resultFile) {
 		const err = e.message;
 		log(`ERROR: ${err}`);
 		markFailed(resultFile, 0, err, startedAt);
-		process.exit(1);
+		return {
+			success: false,
+			steps: stepResults,
+			error: err,
+			failedStep: 0
+		};
 	}
 	log(`openclawTag=${openclawTag}`);
 	process.on("uncaughtException", (err) => {
@@ -2402,9 +2886,19 @@ async function runReset(input, taskId, resultFile) {
 		markFailed(resultFile, currentStep, `unhandled rejection: ${reason}`, startedAt);
 		process.exit(1);
 	});
-	/** Advance to the next step, updating the progress file and logging a boundary. */
+	/** Advance to the next step, recording the previous step's success
+	*  duration and updating the on-disk progress file. */
 	const step = (n) => {
-		if (currentStep > 0) log(`step ${currentStep} "${STEPS[currentStep - 1]}" done in ${Date.now() - stepStartedAt}ms`);
+		if (currentStep > 0) {
+			const dur = Date.now() - stepStartedAt;
+			log(`step ${currentStep} "${STEPS[currentStep - 1]}" done in ${dur}ms`);
+			stepResults.push({
+				step: currentStep,
+				name: STEPS[currentStep - 1],
+				status: "ok",
+				durationMs: dur
+			});
+		}
 		currentStep = n;
 		stepStartedAt = Date.now();
 		log(`--- step ${n}/${TOTAL_STEPS}: ${STEPS[n - 1]} ---`);
@@ -2430,14 +2924,38 @@ async function runReset(input, taskId, resultFile) {
 		await step8InstallExtensions(openclawTag, ossFileMap, log);
 		step(9);
 		writeSecretsAndRestart(vars, resetData, configDir, log);
-		log(`step 9 "${STEPS[8]}" done in ${Date.now() - stepStartedAt}ms`);
+		const lastDur = Date.now() - stepStartedAt;
+		log(`step 9 "${STEPS[8]}" done in ${lastDur}ms`);
+		stepResults.push({
+			step: 9,
+			name: STEPS[8],
+			status: "ok",
+			durationMs: lastDur
+		});
 		log("=== reset completed successfully ===");
 		markDone(resultFile, startedAt);
+		return {
+			success: true,
+			steps: stepResults
+		};
 	} catch (e) {
 		const err = e.message;
-		log(`ERROR in step ${currentStep} "${STEPS[currentStep - 1] ?? "init"}" after ${Date.now() - stepStartedAt}ms: ${err}\n${e.stack ?? ""}`);
+		const dur = Date.now() - stepStartedAt;
+		log(`ERROR in step ${currentStep} "${STEPS[currentStep - 1] ?? "init"}" after ${dur}ms: ${err}\n${e.stack ?? ""}`);
+		stepResults.push({
+			step: currentStep,
+			name: STEPS[currentStep - 1] ?? "init",
+			status: "fail",
+			durationMs: dur,
+			error: err
+		});
 		markFailed(resultFile, currentStep, err, startedAt);
-		process.exit(1);
+		return {
+			success: false,
+			steps: stepResults,
+			error: err,
+			failedStep: currentStep
+		};
 	} finally {
 		try {
 			node_fs.default.rmSync(stagedDir, {
@@ -2504,38 +3022,24 @@ function resolveOssFileMap(args) {
 	throw new Error("ossFileMap missing: provide --oss_file_map flag, ctx.install.ossFileMap, or resetData.ossFileMap");
 }
 //#endregion
-//#region src/innerapi/fetchCtx.ts
+//#region src/innerapi/client.ts
 /**
-* CLI-side client for studio_server's `openclaw.get_doctor_ctx` inner API.
-*
-* Mirrors the proven pattern in
-* `packages/openclaw/extensions/miaoda/src/shared/innerapi-client.ts`:
+* Shared innerapi HTTP client + path constants for `openclaw.*` calls.
 *
 *   - `baseURL` from env `FORCE_AUTHN_INNERAPI_DOMAIN` (injected into every
 *     openclaw sandbox).
 *   - `platform: { enabled, tokenProvider: { type: 'file' } }` — the platform
 *     plugin auto-attaches the sandbox's identity JWT loaded from the
 *     rootfs token file. Same auth that the miaoda extension already uses.
-*   - POST `/api/v1/studio/innerapi/integration_apis/call`
-*     body = { apiName: 'openclaw.get_doctor_ctx', input: {}, bizType: 'openclaw' }
-*     — the server-side APICall dispatches by `apiName` to
-*     `GetDoctorCtxAPICall.Execute` whose `Name()` returns that string.
-*   - Response envelope: { status_code, error_msg?, data: { success, output, ... } }.
-*     `status_code` is a *string* ('0' = success).
-*     Actual DoctorCtx lives in `data.output`.
-*   - `x-tt-logid` header is logged on every failure path for cross-service
-*     traceability.
-*
-* On HTTP 401 (sandbox identity token expired/invalid) we `process.exit(77)`
-* instead of throwing — the outer catch in `index.ts` cannot then mask auth
-* failure as a generic "Error: ...". Caller (e.g. sandbox_console) sees the
-* exit code and can refresh the token + retry.
+*   - POST `/api/v1/studio/innerapi/integration_apis/call` with body
+*     `{ apiName, bizType, input }` is the universal dispatcher; specific
+*     apiName values (e.g. `openclaw.get_doctor_ctx`,
+*     `openclaw.report_doctor_result`) are owned by individual call-site
+*     modules.
 */
 const INNERAPI_CALL_PATH = "/api/v1/studio/innerapi/integration_apis/call";
-const API_NAME = "openclaw.get_doctor_ctx";
 const BIZ_TYPE = "openclaw";
 const API_TIMEOUT_MS = 3e4;
-const MAX_LOG_BODY = 500;
 let clientInstance = null;
 function getHttpClient() {
 	if (!clientInstance) {
@@ -2552,6 +3056,35 @@ function getHttpClient() {
 	}
 	return clientInstance;
 }
+//#endregion
+//#region src/innerapi/fetchCtx.ts
+/**
+* CLI-side client for studio_server's `openclaw.get_doctor_ctx` inner API.
+*
+* Mirrors the proven pattern in
+* `packages/openclaw/extensions/miaoda/src/shared/innerapi-client.ts`:
+*
+*   - `baseURL` from env `FORCE_AUTHN_INNERAPI_DOMAIN` (injected into every
+*     openclaw sandbox).
+*   - `platform: { enabled, tokenProvider: { type: 'file' } }` — the platform
+*     plugin auto-attaches the sandbox's identity JWT loaded from the
+*     rootfs token file. Same auth that the miaoda extension already uses.
+*   - POST `/api/v1/studio/innerapi/integration_apis/call`
+*     body = { apiName: 'openclaw.get_doctor_ctx', input: {}, bizType: 'openclaw' }
+*     — the server-side APICall dispatches by `apiName` to
+*     `GetDoctorCtxAPICall.Execute` whose `Name()` returns that string.
+*   - Response envelope: { status_code, error_msg?, data: { success, output, ... } }.
+*     `status_code` is a *string* ('0' = success).
+*     Actual DoctorCtx lives in `data.output`.
+*   - `x-tt-logid` header is logged on every failure path for cross-service
+*     traceability.
+*
+* On HTTP 401 (sandbox identity token expired/invalid) we `process.exit(77)`
+* instead of throwing — the outer catch in `index.ts` cannot then mask auth
+* failure as a generic "Error: ...". Caller (e.g. sandbox_console) sees the
+* exit code and can refresh the token + retry.
+*/
+const API_NAME$1 = "openclaw.get_doctor_ctx";
 /**
 * Fetch the sandbox's DoctorCtx by calling the innerapi's generic
 * `integration_apis/call` dispatcher with apiName=openclaw.get_doctor_ctx.
@@ -2559,14 +3092,19 @@ function getHttpClient() {
 * Throws on HTTP (non-401) / decode / business errors. On 401 calls
 * `process.exit(77)` directly.
 */
-async function fetchCtxViaInnerApi() {
+async function fetchCtxViaInnerApi(opts = {}) {
 	const client = getHttpClient();
+	const input = {};
+	if (opts.populate !== void 0) input.populate = opts.populate;
+	if (opts.caller) input.caller = opts.caller;
+	if (opts.traceId) input.traceId = opts.traceId;
 	const body = {
-		apiName: API_NAME,
-		input: {},
+		apiName: API_NAME$1,
+		input,
 		bizType: BIZ_TYPE
 	};
 	const start = Date.now();
+	console.error(`fetchCtx: start populate=${JSON.stringify(opts.populate ?? {})}${opts.caller ? ` caller=${opts.caller}` : ""}${opts.traceId ? ` traceId=${opts.traceId}` : ""}`);
 	const headers = { "Content-Type": "application/json" };
 	const ttEnv = process.env.X_TT_ENV;
 	if (ttEnv) headers["x-tt-env"] = ttEnv;
@@ -2596,7 +3134,7 @@ async function fetchCtxViaInnerApi() {
 		}
 		let preview = "";
 		try {
-			preview = (await response.text()).slice(0, MAX_LOG_BODY);
+			preview = (await response.text()).slice(0, 500);
 		} catch {}
 		throw new Error(`fetchCtxViaInnerApi HTTP ${response.status} ${response.statusText} (logID: ${logId}, durationMs: ${durationMs})${preview ? ` body=${preview}` : ""}`);
 	}
@@ -2610,6 +3148,7 @@ async function fetchCtxViaInnerApi() {
 	if (envelope.data && envelope.data.success === false) throw new Error(`fetchCtxViaInnerApi business error (logID: ${logId}, durationMs: ${durationMs}): ${envelope.error_msg ?? JSON.stringify(envelope.data)}`);
 	const output = envelope.data?.output;
 	if (!output || typeof output !== "object") throw new Error(`fetchCtxViaInnerApi empty/invalid output (logID: ${logId}, durationMs: ${durationMs})`);
+	console.error(`fetchCtx: ok logId=${logId} durationMs=${durationMs} groups=[${Object.keys(output).join(",")}]`);
 	return output;
 }
 //#endregion
@@ -2628,26 +3167,40 @@ async function fetchCtxViaInnerApi() {
 */
 function normalizeCtx(raw) {
 	const r = raw ?? {};
-	if (r.app && typeof r.app === "object" && r.install && typeof r.install === "object" && r.secrets && typeof r.secrets === "object" && r.reset && typeof r.reset === "object") return {
-		app: fillApp(r.app),
-		install: {
-			openclawTag: r.install.openclawTag,
-			ossFileMap: r.install.ossFileMap ?? {}
-		},
-		secrets: {
-			secretsContent: r.secrets.secretsContent ?? "",
-			providerKeyContent: r.secrets.providerKeyContent ?? ""
-		},
-		reset: {
-			templateVars: r.reset.templateVars ?? {},
-			coreBackup: r.reset.coreBackup
-		}
-	};
+	if (r.app && typeof r.app === "object" && r.install && typeof r.install === "object" && r.secrets && typeof r.secrets === "object" && r.reset && typeof r.reset === "object") {
+		const templateVars = r.app.templateVars && typeof r.app.templateVars === "object" ? r.app.templateVars : r.reset.templateVars ?? {};
+		const recommendedOpenclawTag = typeof r.app.recommendedOpenclawTag === "string" && r.app.recommendedOpenclawTag !== "" ? r.app.recommendedOpenclawTag : typeof r.install.openclawTag === "string" && r.install.openclawTag !== "" ? r.install.openclawTag : void 0;
+		return {
+			app: {
+				...fillApp(r.app),
+				templateVars,
+				recommendedOpenclawTag
+			},
+			install: {
+				openclawTag: r.install.openclawTag,
+				ossFileMap: r.install.ossFileMap ?? {}
+			},
+			secrets: {
+				secretsContent: r.secrets.secretsContent ?? "",
+				providerKeyContent: r.secrets.providerKeyContent ?? ""
+			},
+			reset: {
+				templateVars: r.reset.templateVars ?? {},
+				coreBackup: r.reset.coreBackup
+			}
+		};
+	}
 	const vars = r.vars ?? {};
 	const resetData = r.resetData ?? {};
 	const repairData = r.repairData ?? {};
+	const legacyTemplateVars = vars.templateVars && typeof vars.templateVars === "object" ? vars.templateVars : resetData.templateVars ?? r.templateVars ?? {};
+	const legacyRecommendedTag = typeof vars.recommendedOpenclawTag === "string" && vars.recommendedOpenclawTag !== "" ? vars.recommendedOpenclawTag : typeof resetData.openclawTag === "string" && resetData.openclawTag !== "" ? resetData.openclawTag : typeof r.openclawTag === "string" && r.openclawTag !== "" ? r.openclawTag : void 0;
 	return {
-		app: fillApp(vars),
+		app: {
+			...fillApp(vars),
+			templateVars: legacyTemplateVars,
+			recommendedOpenclawTag: legacyRecommendedTag
+		},
 		install: {
 			openclawTag: r.install?.openclawTag ?? r.openclawTag,
 			ossFileMap: r.install?.ossFileMap ?? resetData.ossFileMap ?? r.ossFileMap ?? {}
@@ -2700,11 +3253,15 @@ function fillApp(src) {
 function buildCheckInput(raw, configPathOverride) {
 	const r = raw ?? {};
 	if (r.configPath && r.vars) {
-		if (configPathOverride) return {
+		const out = configPathOverride ? {
 			...r,
 			configPath: configPathOverride
+		} : { ...r };
+		if (out.vars && !out.vars.templateVars) out.vars = {
+			...out.vars,
+			templateVars: out.templateVars ?? {}
 		};
-		return r;
+		return out;
 	}
 	const ctx = normalizeCtx(raw);
 	return {
@@ -2718,19 +3275,25 @@ function buildCheckInput(raw, configPathOverride) {
 			baseURL: ctx.app.baseURL,
 			expectedOrigins: ctx.app.expectedOrigins,
 			providerFilePath: PROVIDER_FILE_PATH,
-			secretsFilePath: SECRETS_FILE_PATH
+			secretsFilePath: SECRETS_FILE_PATH,
+			templateVars: ctx.app.templateVars,
+			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag
 		},
-		templateVars: ctx.reset.templateVars
+		templateVars: ctx.app.templateVars
 	};
 }
 function buildRepairInput(raw, configPathOverride) {
 	const r = raw ?? {};
 	if (r.configPath && r.vars) {
-		if (configPathOverride) return {
+		const out = configPathOverride ? {
 			...r,
 			configPath: configPathOverride
+		} : { ...r };
+		if (out.vars && !out.vars.templateVars) out.vars = {
+			...out.vars,
+			templateVars: out.templateVars ?? {}
 		};
-		return r;
+		return out;
 	}
 	const ctx = normalizeCtx(raw);
 	return {
@@ -2744,23 +3307,29 @@ function buildRepairInput(raw, configPathOverride) {
 			baseURL: ctx.app.baseURL,
 			expectedOrigins: ctx.app.expectedOrigins,
 			providerFilePath: PROVIDER_FILE_PATH,
-			secretsFilePath: SECRETS_FILE_PATH
+			secretsFilePath: SECRETS_FILE_PATH,
+			templateVars: ctx.app.templateVars,
+			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag
 		},
 		repairData: {
 			secretsContent: ctx.secrets.secretsContent,
 			providerKeyContent: ctx.secrets.providerKeyContent
 		},
-		templateVars: ctx.reset.templateVars
+		templateVars: ctx.app.templateVars
 	};
 }
 function buildResetInput(raw, configPathOverride) {
 	const r = raw ?? {};
 	if (r.configPath && r.vars && r.resetData) {
-		if (configPathOverride) return {
+		const out = configPathOverride ? {
 			...r,
 			configPath: configPathOverride
+		} : { ...r };
+		if (out.vars && !out.vars.templateVars) out.vars = {
+			...out.vars,
+			templateVars: out.resetData?.templateVars ?? {}
 		};
-		return r;
+		return out;
 	}
 	const ctx = normalizeCtx(raw);
 	return {
@@ -2774,7 +3343,9 @@ function buildResetInput(raw, configPathOverride) {
 			baseURL: ctx.app.baseURL,
 			expectedOrigins: ctx.app.expectedOrigins,
 			providerFilePath: PROVIDER_FILE_PATH,
-			secretsFilePath: SECRETS_FILE_PATH
+			secretsFilePath: SECRETS_FILE_PATH,
+			templateVars: ctx.app.templateVars,
+			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag
 		},
 		resetData: {
 			templateVars: ctx.reset.templateVars,
@@ -2788,30 +3359,379 @@ function buildResetInput(raw, configPathOverride) {
 }
 //#endregion
 //#region src/doctor.ts
+/**
+* Per-rule orchestration with telemetry-friendly outcomes.
+*
+* Flow per rule (in topological order, after disabledRules / dependsOn /
+* skipWhen filtering):
+*
+*   1. validate            — exception → status='error', abort
+*   2. pass                → status='pass'
+*   3. fail and !opts.fix  → status='failed' (with v1.message)
+*   4. fail and opts.fix   →
+*      a. only standard-mode rules attempt repair; ai/reset stay 'failed'
+*      b. repair             — exception → status='error', abort
+*      c. re-validate        — exception → status='error', abort
+*      d. v2.pass            → status='fixed' (before = v1.message)
+*      e. v2.fail            → status='still-broken' (before+after)
+*
+* Aborted runs return a partial DoctorReport with `aborted: true`. The
+* caller should `console.log(JSON.stringify(report))` first, THEN
+* `process.exit(1)` so sweep / telemetry callers always get the partial
+* data plus the non-zero signal.
+*
+* Config writeback: if opts.fix and at least one rule transitioned
+* pass→fixed, the in-memory ctx.config is JSON-serialized and written
+* back to opts.configPath. On abort, no write — keep the on-disk file
+* matching whatever was successful before the failure.
+*
+* Secrets file / provider-key / restart-command writes are NOT performed
+* by doctor. Those belong to the standalone `repair` subcommand which
+* sandbox_console push uses. Doctor is for diagnosis + per-rule fix
+* with structured outcomes.
+*/
 async function runDoctor(rawCtx, opts) {
-	if (opts.fix && opts.rules.length > 0) {
-		const repairInput = buildRepairInput(rawCtx, opts.configPath);
-		repairInput.failedRules = opts.rules;
-		repairInput.repairData = {
-			...repairInput.repairData ?? {},
-			restartCommand: ""
-		};
-		return { repair: runRepair(repairInput) };
+	const results = [];
+	console.error(`runDoctor: begin fix=${opts.fix} rules=[${opts.rules.join(",")}] configPath=${opts.configPath ?? "(default)"}`);
+	const checkInput = buildCheckInput(rawCtx, opts.configPath);
+	let configRaw;
+	let config;
+	try {
+		configRaw = readFile(checkInput.configPath);
+	} catch (e) {
+		console.error(`runDoctor: read config failed at ${checkInput.configPath} message=${e.message}`);
+		return finalize([{
+			rule: "config_syntax_check",
+			status: "error",
+			message: "read config failed: " + e.message
+		}], true);
+	}
+	try {
+		config = loadJSON5().parse(configRaw);
+	} catch (e) {
+		console.error(`runDoctor: config JSON5 parse failed message=${e.message}`);
+		results.push({
+			rule: "config_syntax_check",
+			status: opts.fix ? "still-broken" : "failed",
+			message: "config JSON5 parse failed: " + e.message
+		});
+		return finalize(results, true);
+	}
+	const ctx = {
+		config,
+		configPath: checkInput.configPath,
+		vars: checkInput.vars,
+		providerDeps: analyzeProviderDeps(config)
+	};
+	const originalConfig = opts.showDiff && opts.fix ? deepClone(config) : null;
+	const allRules = getAllRules();
+	const onlyKeys = opts.rules.length > 0 ? new Set(opts.rules) : null;
+	const skipRuleKeys = new Set(opts.skipRules ?? []);
+	const disabledKeys = new Set([...checkInput.disabledRules ?? [], ...skipRuleKeys]);
+	if (onlyKeys) {
+		const registeredKeys = new Set(allRules.map((r) => r.meta.key));
+		for (const k of opts.rules) if (!registeredKeys.has(k)) results.push({
+			rule: k,
+			status: "unknown"
+		});
+	}
+	const failedKeys = /* @__PURE__ */ new Set();
+	let configDirty = false;
+	let aborted = false;
+	const hasMiaoda = shouldCheckMiaodaRules(config);
+	const plannedRules = allRules.filter((r) => !onlyKeys || onlyKeys.has(r.meta.key));
+	console.error(`runDoctor: planned ${plannedRules.length} rules hasMiaoda=${hasMiaoda} providerDeps=${JSON.stringify(ctx.providerDeps)}`);
+	outer: for (const rule of allRules) {
+		const key = rule.meta.key;
+		if (onlyKeys && !onlyKeys.has(key)) continue;
+		if (disabledKeys.has(key)) {
+			const reason = skipRuleKeys.has(key) ? "--skip-rule" : "disabledRules";
+			console.error(`rule ${key}: skipped reason=${reason}`);
+			results.push({
+				rule: key,
+				status: "skipped",
+				message: reason
+			});
+			continue;
+		}
+		if (rule.meta.dependsOn?.some((d) => failedKeys.has(d))) {
+			const blockers = rule.meta.dependsOn?.filter((d) => failedKeys.has(d)).join(",");
+			console.error(`rule ${key}: skipped reason=dependsOn-failed blockers=${blockers}`);
+			results.push({
+				rule: key,
+				status: "skipped",
+				message: `dependsOn failed: ${blockers}`
+			});
+			continue;
+		}
+		if (rule.meta.skipWhen?.({
+			hasMiaoda,
+			deps: ctx.providerDeps
+		})) {
+			console.error(`rule ${key}: skipped reason=skipWhen`);
+			results.push({
+				rule: key,
+				status: "skipped",
+				message: "skipWhen"
+			});
+			continue;
+		}
+		const tValidate = Date.now();
+		let v1;
+		try {
+			v1 = rule.validate(ctx);
+		} catch (e) {
+			const msg = e.message;
+			console.error(`rule ${key}: validate -> error durationMs=${Date.now() - tValidate} message=${msg}`);
+			results.push({
+				rule: key,
+				status: "error",
+				message: "validate threw: " + msg
+			});
+			aborted = true;
+			break outer;
+		}
+		if (v1.pass) {
+			console.error(`rule ${key}: validate -> pass durationMs=${Date.now() - tValidate}`);
+			results.push({
+				rule: key,
+				status: "pass"
+			});
+			continue;
+		}
+		if (!opts.fix) {
+			console.error(`rule ${key}: validate -> failed durationMs=${Date.now() - tValidate} message=${v1.message ?? ""}`);
+			results.push({
+				rule: key,
+				status: "failed",
+				message: v1.message
+			});
+			failedKeys.add(key);
+			continue;
+		}
+		if (rule.meta.repairMode !== "standard") {
+			console.error(`rule ${key}: validate -> failed (no auto-repair, repairMode=${rule.meta.repairMode}) durationMs=${Date.now() - tValidate} message=${v1.message ?? ""}`);
+			results.push({
+				rule: key,
+				status: "failed",
+				message: v1.message
+			});
+			failedKeys.add(key);
+			continue;
+		}
+		console.error(`rule ${key}: validate -> failed durationMs=${Date.now() - tValidate} message=${v1.message ?? ""}`);
+		const tRepair = Date.now();
+		try {
+			rule.repair(ctx);
+		} catch (e) {
+			const msg = e.message;
+			console.error(`rule ${key}: repair -> error durationMs=${Date.now() - tRepair} message=${msg}`);
+			results.push({
+				rule: key,
+				status: "error",
+				message: "repair threw: " + msg,
+				before: v1.message
+			});
+			aborted = true;
+			break outer;
+		}
+		console.error(`rule ${key}: repair -> ok durationMs=${Date.now() - tRepair}`);
+		configDirty = true;
+		const tRevalidate = Date.now();
+		let v2;
+		try {
+			v2 = rule.validate(ctx);
+		} catch (e) {
+			const msg = e.message;
+			console.error(`rule ${key}: revalidate -> error durationMs=${Date.now() - tRevalidate} message=${msg}`);
+			results.push({
+				rule: key,
+				status: "error",
+				message: "post-repair validate threw: " + msg,
+				before: v1.message
+			});
+			aborted = true;
+			break outer;
+		}
+		if (v2.pass) {
+			console.error(`rule ${key}: revalidate -> pass (fixed) durationMs=${Date.now() - tRevalidate}`);
+			results.push({
+				rule: key,
+				status: "fixed",
+				before: v1.message
+			});
+		} else {
+			console.error(`rule ${key}: revalidate -> still-broken durationMs=${Date.now() - tRevalidate} after=${v2.message ?? ""}`);
+			results.push({
+				rule: key,
+				status: "still-broken",
+				before: v1.message,
+				after: v2.message
+			});
+			failedKeys.add(key);
+		}
+	}
+	let backupPath = null;
+	if (configDirty && !aborted) {
+		backupPath = backupConfigSync(ctx.configPath);
+		const serialized = JSON.stringify(ctx.config, null, 2);
+		try {
+			writeFile(ctx.configPath, serialized);
+			console.error(`runDoctor: writeback ok path=${ctx.configPath} bytes=${serialized.length}`);
+		} catch (e) {
+			const msg = e.message;
+			console.error(`runDoctor: writeback failed path=${ctx.configPath} message=${msg}`);
+			results.push({
+				rule: "*config-writeback*",
+				status: "error",
+				message: "config write failed: " + msg
+			});
+			aborted = true;
+		}
+	} else if (configDirty && aborted) console.error("runDoctor: writeback skipped (aborted, leaving on-disk config untouched)");
+	else console.error("runDoctor: writeback skipped (no rule transitioned to fixed)");
+	console.error(`runDoctor: end aborted=${aborted} results=${results.length}`);
+	if (originalConfig !== null) {
+		const d = (0, json_diff.diffString)(originalConfig, ctx.config, { color: false });
+		console.error(`runDoctor: diff backupPath=${backupPath ?? "(none)"} changed=${!!d}`);
+		if (d) {
+			process.stdout.write(`original:    ${backupPath ?? "(none)"}\n`);
+			process.stdout.write(`after fixed: ${ctx.configPath}\n`);
+			process.stdout.write("diff:\n");
+			process.stdout.write(d);
+			if (!d.endsWith("\n")) process.stdout.write("\n");
+		} else process.stdout.write("(no openclaw.json changes)\n");
+	}
+	return finalize(results, aborted);
+}
+/** Deep-clone a JSON-shaped value. Uses structuredClone where available
+*  (Node 17+); falls back to JSON round-trip otherwise. The config we
+*  clone here is JSON5-parsed so it's strictly tree-shaped — no
+*  references, no functions — making both paths equivalent. */
+function deepClone(v) {
+	if (typeof structuredClone === "function") return structuredClone(v);
+	return JSON.parse(JSON.stringify(v));
+}
+function finalize(results, aborted) {
+	const summary = {
+		pass: 0,
+		failed: 0,
+		fixed: 0,
+		stillBroken: 0,
+		skipped: 0,
+		error: 0,
+		unknown: 0
+	};
+	for (const r of results) switch (r.status) {
+		case "pass":
+			summary.pass++;
+			break;
+		case "failed":
+			summary.failed++;
+			break;
+		case "fixed":
+			summary.fixed++;
+			break;
+		case "still-broken":
+			summary.stillBroken++;
+			break;
+		case "skipped":
+			summary.skipped++;
+			break;
+		case "error":
+			summary.error++;
+			break;
+		case "unknown":
+			summary.unknown++;
+			break;
 	}
-	const check = runCheck(buildCheckInput(rawCtx, opts.configPath));
-	if (!opts.fix) return { failedRules: check.failedRules };
-	const repairInput = buildRepairInput(rawCtx, opts.configPath);
-	repairInput.failedRules = check.failedRules.standard;
 	return {
-		check,
-		repair: runRepair(repairInput)
+		results,
+		summary,
+		aborted
 	};
 }
 //#endregion
+//#region src/innerapi/reportCliRun.ts
+/**
+* CLI-side client for studio_server's `openclaw.report_cli_run` inner
+* API — the unified telemetry sink for every CLI command.
+*
+* Best-effort: gated by `DoctorCtx.telemetry.reportCliRun` returned by
+* `get_doctor_ctx`. When the server hasn't rolled out the API yet the
+* flag is absent and the CLI never invokes this. When enabled, the CLI
+* fires-and-forgets one report per command after work is done.
+*
+* Failures here MUST NOT change exit code or otherwise affect the
+* command's data path — telemetry is auxiliary. Caller is expected to
+* `try/catch` and just `console.error` on rejection.
+*
+* Replaces the earlier `openclaw.report_doctor_result` API. The schema
+* generalises so check / repair / install-* / download-resource / reset
+* (worker) can all use the same envelope; per-command shape lives under
+* `result`.
+*/
+const API_NAME = "openclaw.report_cli_run";
+async function reportCliRun(opts) {
+	const client = getHttpClient();
+	const input = {
+		command: opts.command,
+		runId: opts.runId,
+		version: opts.version,
+		invocation: opts.invocation,
+		durationMs: opts.durationMs,
+		success: opts.success
+	};
+	if (opts.caller) input.caller = opts.caller;
+	if (opts.traceId) input.traceId = opts.traceId;
+	if (opts.result !== void 0) input.result = opts.result;
+	if (opts.error) input.error = opts.error;
+	const body = {
+		apiName: API_NAME,
+		input,
+		bizType: BIZ_TYPE
+	};
+	const headers = { "Content-Type": "application/json" };
+	const ttEnv = process.env.X_TT_ENV;
+	if (ttEnv) headers["x-tt-env"] = ttEnv;
+	const start = Date.now();
+	console.error(`reportCliRun: start command=${opts.command} success=${opts.success} version=${opts.version} invocation=${JSON.stringify(opts.invocation)} durationMs=${opts.durationMs}`);
+	let response;
+	try {
+		response = await client.post(INNERAPI_CALL_PATH, body, { headers });
+	} catch (e) {
+		if (e instanceof _lark_apaas_http_client.HttpError && e.response) {
+			const status = e.response.status;
+			const logId = e.response.headers.get("x-tt-logid") ?? "";
+			throw new Error(`reportCliRun HTTP ${status} ${e.response.statusText} (logID: ${logId})`);
+		}
+		const msg = e instanceof Error ? e.message : String(e);
+		throw new Error(`reportCliRun network error: ${msg}`);
+	}
+	const logId = response.headers.get("x-tt-logid") ?? "";
+	if (!response.ok) {
+		let preview = "";
+		try {
+			preview = (await response.text()).slice(0, 500);
+		} catch {}
+		throw new Error(`reportCliRun HTTP ${response.status} ${response.statusText} (logID: ${logId})${preview ? ` body=${preview}` : ""}`);
+	}
+	let envelope;
+	try {
+		envelope = await response.json();
+	} catch {
+		console.error(`reportCliRun: ok logId=${logId} httpDurationMs=${Date.now() - start} (body unparseable, treated as success)`);
+		return;
+	}
+	if (envelope.status_code !== void 0 && envelope.status_code !== "0") throw new Error(`reportCliRun API error (logID: ${logId}): code=${envelope.status_code}, message=${envelope.error_msg ?? ""}`);
+	if (envelope.data && envelope.data.success === false) throw new Error(`reportCliRun business error (logID: ${logId}): ${envelope.error_msg ?? JSON.stringify(envelope.data)}`);
+	console.error(`reportCliRun: ok logId=${logId} httpDurationMs=${Date.now() - start}`);
+}
+//#endregion
 //#region src/help.ts
 const BIN = "mclaw-diagnose";
 function versionBanner() {
-	return `v0.1.4-alpha.0`;
+	return `v0.1.4-alpha.1`;
 }
 const COMMANDS = [
 	{
@@ -2819,46 +3739,85 @@ const COMMANDS = [
 		hidden: false,
 		summary: "Diagnose openclaw config; apply repairs with --fix",
 		help: `USAGE
-  ${BIN} doctor [--fix] [--rule=<key>]...
+  ${BIN} doctor [--fix] [--show-diff] [--rule=<key>]... [--skip-rule=<key>]...
+                [--caller=<n>] [--trace-id=<id>]
 DESCRIPTION
-  Fetches DoctorCtx via innerapi, then runs one of three modes depending
-  on the flags. Output is a single JSON object on stdout.
+  Fetches DoctorCtx via innerapi, then orchestrates each rule:
-MODES
-  (no flags)              Check-only. Runs the rule engine against the
-                          sandbox's current openclaw config and returns
-                            { failedRules: { standard, ai, reset } }
-                          No files are mutated. Use this when you just
-                          want to know what's wrong.
+    validate (always)
+      pass               → status='pass'
+      fail and !--fix    → status='failed'
+      fail and --fix
+        repair → re-validate
+          pass           → status='fixed'
+          still fail     → status='still-broken'
-  --fix                   Check + repair-all. First runs the rule engine,
-                          then repairs every failing standard-mode rule.
-                          Returns
-                            { check: {...}, repair: {...} }
-                          Use this as the default "fix everything" action.
+  Output is a single JSON object on stdout:
-  --fix --rule=<key>...   Targeted repair. Skips the check pass entirely
-                          and runs repair against the listed rule keys
-                          only. Unknown keys are silently ignored.
-                          Returns { repair: {...} } with only those
-                          rules' outcomes. Use this when you already
-                          know which rules need fixing.
+    {
+      "results": [{ "rule": "...", "status": "...", "message"?: "...", ...}],
+      "summary": { "pass": N, "failed": N, "fixed": N, "stillBroken": N,
+                   "skipped": N, "error": N, "unknown": N },
+      "aborted": false
+    }
+STATUSES
+  pass            Rule's validate passed; no repair attempted.
+  failed          Rule's validate failed; --fix was not given.
+  fixed           Rule's validate failed; repair ran; re-validate passed.
+  still-broken    Rule's validate failed; repair ran; re-validate still failed.
+  skipped         Rule excluded by disabledRules / --skip-rule / dependsOn /
+                  skipWhen.
+  error           validate or repair threw an exception. ABORTS the run —
+                  exit code becomes 1; partial 'results' still written to stdout.
+  unknown         --rule=<k> with k not registered. Reported, not aborting.
 OPTIONS
-  --fix                   Enable repair. See MODES above.
-  --rule=<key>            Repair only this rule key. Repeatable. Only
-                          meaningful together with --fix.
+  --fix              Enable repair. Without it, validate runs but failures
+                     are reported as 'failed' instead of being repaired.
+  --show-diff        With --fix: replace the JSON report on stdout with
+                     a plain-text section showing
+                       original:    <backup path>
+                       after fixed: <openclaw.json path>
+                       diff:
+                       <unified-diff body, same format as \`json-diff\`>
+                     Interactive flag — sandbox_console's push path never
+                     sets it, so the JSON contract is preserved for that
+                     caller. No-op without --fix (no mutation, no diff).
+  --rule=<key>       Whitelist: restrict the run to this rule key (repeatable).
+                     Without --rule, every registered rule runs. With --rule,
+                     the planner narrows the innerapi vars fetch to just
+                     that rule's needs (see lazy-vars).
+  --skip-rule=<key>  Blacklist: skip the rule entirely — neither validate
+                     nor repair runs (repeatable). Outcome is 'skipped' with
+                     message='--skip-rule'. Stacks with the server's
+                     disabledRules. Skipped rules also subtract their vars
+                     from the planner's union.
+  --caller=<name>    Optional metadata; passed through verbatim to innerapi
+                     (fetchCtx + report_cli_run body.input.caller).
+                     E.g. "sweep_job", "user_yxy". Server uses for audit /
+                     correlation; CLI doesn't act on it.
+  --trace-id=<id>    Optional log-correlation id; passed through verbatim
+                     to innerapi body.input.traceId. Typically the upstream
+                     caller's logID (e.g. sandbox_console's request id).
 EXAMPLES
-  ${BIN} doctor                                            # check only
-  ${BIN} doctor --fix                                      # check then repair all
-  ${BIN} doctor --fix --rule=gateway                       # repair 'gateway' only
-  ${BIN} doctor --fix --rule=gateway --rule=jwt_token      # repair multiple
+  ${BIN} doctor                                          # diagnose, no fixes
+  ${BIN} doctor --fix                                    # diagnose + fix everything
+  ${BIN} doctor --fix --rule=gateway                     # fix only 'gateway'
+  ${BIN} doctor --fix --skip-rule=feishu_channel         # fix everything except feishu
+  ${BIN} doctor --fix --skip-rule=feishu_channel --skip-rule=feishu_default_account
+                                                         # skip multiple rules
+  ${BIN} doctor --fix --show-diff                        # see exactly what changed
+                                                         # (plain-text diff after
+                                                         # the JSON report)
 EXIT CODES
-  0    success
-  1    generic error
+  0    completed (results may include 'failed' / 'still-broken' — those
+       are normal data outcomes, not run failures)
+  1    aborted because a rule's validate or repair threw. Partial
+       results still on stdout.
   77   innerapi authentication failed (sandbox JWT expired/invalid)
 `
 	},
@@ -3047,6 +4006,62 @@ function formatCommandHelp(name) {
 	return cmd.help;
 }
 //#endregion
+//#region src/rule-engine/planner.ts
+/**
+* Compute the union of `Vars` field names that the **enabled** rules will
+* actually read. Sources from each rule's `@Rule({ usesVars: [...] })`
+* declaration; drift is caught at test time by `strict-vars.test.ts`.
+*
+* Inactive rules (skipped via skipWhen at runtime) are STILL counted —
+* skipWhen depends on parsed-config state we don't have at planning time.
+* Slight over-fetch in those cases, but no correctness issue.
+*
+* Result is stable-sorted for deterministic logging / test snapshots.
+*/
+function planVarsFields(opts = {}) {
+	const disabled = new Set(opts.disabled ?? []);
+	const only = opts.onlyRules && opts.onlyRules.length > 0 ? new Set(opts.onlyRules) : null;
+	const fields = /* @__PURE__ */ new Set();
+	for (const rule of getAllRules()) {
+		const key = rule.meta.key;
+		if (disabled.has(key)) continue;
+		if (only && !only.has(key)) continue;
+		for (const f of rule.meta.usesVars ?? []) fields.add(f);
+	}
+	return [...fields].sort();
+}
+/**
+* Plan a `populate` selector for a given subcommand.
+*
+* Per-command group needs:
+*
+*   doctor / check    app (rule-driven)
+*   repair            app + secrets   (writes secretsContent / providerKeyContent)
+*   reset             app + secrets + install + reset (the works)
+*   install-*         install only
+*
+* Empty result (`{}`) means "no group needed" — the CLI can skip the
+* `fetchCtxViaInnerApi` call entirely and run with a synthetic empty ctx.
+* Happens e.g. when the user pinned `--rule=<key>` to a vars-free rule on
+* `doctor`.
+*/
+function planCtxPopulate(opts) {
+	if (opts.command === "install") return { install: true };
+	const populate = {};
+	const appFields = planVarsFields({
+		disabled: opts.disabled,
+		onlyRules: opts.onlyRules
+	});
+	if (appFields.length > 0) populate.app = appFields;
+	if (opts.command === "repair") populate.secrets = true;
+	else if (opts.command === "reset") {
+		populate.secrets = true;
+		populate.install = true;
+		populate.reset = true;
+	}
+	return populate;
+}
+//#endregion
 //#region src/index.ts
 const args = node_process.default.argv.slice(2);
 const mode = args.find((a) => !a.startsWith("-"));
@@ -3080,8 +4095,39 @@ function getMultiFlag(args, name) {
 	const prefix = `--${name}=`;
 	return args.filter((a) => a.startsWith(prefix)).map((a) => a.slice(prefix.length));
 }
+/**
+* Per-case telemetry helper: fires `openclaw.report_cli_run` once with
+* the command's outcome. Always called — the previous server-flag gate
+* was removed (server controls receipt by routing the apiName).
+*
+* Best-effort: a thrown reportCliRun is logged to cli.log and swallowed.
+* Never alters the data path's exit code — the user-visible work has
+* already finished by the time we report.
+*
+* `raw` is kept in the signature for backward symmetry with the doctor
+* case but is no longer consulted.
+*/
+async function reportRun(command, rc, _raw, invocation, durationMs, outcome) {
+	console.error(`${command}: telemetry calling report_cli_run`);
+	try {
+		await reportCliRun({
+			command,
+			runId: rc.runId,
+			version: getVersion(),
+			invocation,
+			durationMs,
+			caller: rc.caller,
+			traceId: rc.traceId,
+			success: outcome.success,
+			result: outcome.result,
+			error: outcome.error ? { message: outcome.error.message } : void 0
+		});
+	} catch (e) {
+		console.error(`[telemetry] reportCliRun failed: ${e.message}`);
+	}
+}
 async function main() {
-	installStderrMirror();
+	installStderrMirror({ stderrEnabled: args.includes("-x") });
 	const helpFlags = parseHelpFlags(args);
 	if (mode && helpFlags.help) {
 		const body = formatCommandHelp(mode);
@@ -3101,22 +4147,79 @@ async function main() {
 		node_process.default.stderr.write(formatTopLevelHelp(helpFlags.expert));
 		node_process.default.exit(1);
 	}
+	const caller = getFlag(args, "caller");
+	const traceId = getFlag(args, "trace-id");
+	const rc = setRunContext({
+		caller,
+		traceId
+	});
+	const t0 = Date.now();
+	console.error(`${mode}: begin argv=[${args.join(" ")}] version=${getVersion()} traceId=${traceId ?? "-"} caller=${caller ?? "-"} runIdGenerated=${rc.generated}`);
 	switch (mode) {
-		case "check":
+		case "check": {
+			const raw = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
+				populate: planCtxPopulate({ command: "check" }),
+				caller,
+				traceId
+			});
+			const { legacy, report } = runCheckWithReport(buildCheckInput(raw));
+			console.log(JSON.stringify(legacy));
+			await reportRun("check", rc, raw, args.join(" "), Date.now() - t0, {
+				success: !report.aborted,
+				result: report,
+				error: report.aborted ? /* @__PURE__ */ new Error("check run aborted") : void 0
+			});
+			break;
+		}
 		case "repair": {
-			const raw = parseCtxFlag(args) ?? await fetchCtxViaInnerApi();
-			if (mode === "check") console.log(JSON.stringify(runCheck(buildCheckInput(raw))));
-			else console.log(JSON.stringify(runRepair(buildRepairInput(raw))));
+			const raw = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
+				populate: planCtxPopulate({ command: "repair" }),
+				caller,
+				traceId
+			});
+			const { legacy, report } = runRepairWithReport(buildRepairInput(raw));
+			console.log(JSON.stringify(legacy));
+			await reportRun("repair", rc, raw, args.join(" "), Date.now() - t0, {
+				success: legacy.success,
+				result: report,
+				error: legacy.success ? void 0 : new Error(legacy.error ?? "repair failed")
+			});
 			break;
 		}
 		case "doctor": {
 			const fix = args.includes("--fix");
 			const rules = getMultiFlag(args, "rule");
-			const result = await runDoctor(await fetchCtxViaInnerApi(), {
+			const skipRules = getMultiFlag(args, "skip-rule");
+			const showDiff = args.includes("--show-diff");
+			const populate = planCtxPopulate({
+				command: "doctor",
+				onlyRules: fix && rules.length > 0 ? rules : void 0,
+				disabled: skipRules
+			});
+			console.error(`doctor: populate=${JSON.stringify(populate)} fix=${fix} rules=[${rules.join(",")}] skipRules=[${skipRules.join(",")}]`);
+			let raw;
+			if (Object.keys(populate).length === 0) {
+				console.error("doctor: skipping fetchCtx (empty populate)");
+				raw = {};
+			} else raw = await fetchCtxViaInnerApi({
+				populate,
+				caller,
+				traceId
+			});
+			const result = await runDoctor(raw, {
 				fix,
-				rules
+				rules,
+				skipRules,
+				showDiff
+			});
+			if (!(showDiff && fix)) console.log(JSON.stringify(result));
+			await reportRun("doctor", rc, raw, args.join(" "), Date.now() - t0, {
+				success: !result.aborted,
+				result,
+				error: result.aborted ? /* @__PURE__ */ new Error("doctor run aborted") : void 0
 			});
-			console.log(JSON.stringify(result));
+			console.error(`doctor: end aborted=${result.aborted} totalMs=${Date.now() - t0} summary=${JSON.stringify(result.summary)}`);
+			if (result.aborted) node_process.default.exit(1);
 			break;
 		}
 		case "reset":
@@ -3125,7 +4228,11 @@ async function main() {
 				let ctxBase64;
 				if (ctxArg) ctxBase64 = ctxArg.slice(6);
 				else {
-					const fetched = await fetchCtxViaInnerApi();
+					const fetched = await fetchCtxViaInnerApi({
+						populate: planCtxPopulate({ command: "reset" }),
+						caller,
+						traceId
+					});
 					ctxBase64 = Buffer.from(JSON.stringify(fetched), "utf-8").toString("base64");
 				}
 				console.log(JSON.stringify(startAsyncReset(ctxBase64)));
@@ -3136,7 +4243,22 @@ async function main() {
 					node_process.default.exit(1);
 				}
 				const resultFile = resetResultFile(taskId);
-				await runReset(buildResetInput(parseCtxFlag(args) ?? await fetchCtxViaInnerApi()), taskId, resultFile);
+				const raw = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
+					populate: planCtxPopulate({ command: "reset" }),
+					caller,
+					traceId
+				});
+				const outcome = await runReset(buildResetInput(raw), taskId, resultFile);
+				await reportRun("reset", rc, raw, args.join(" "), Date.now() - t0, {
+					success: outcome.success,
+					result: {
+						taskId,
+						steps: outcome.steps,
+						failedStep: outcome.failedStep
+					},
+					error: outcome.success ? void 0 : new Error(outcome.error ?? "reset failed")
+				});
+				if (!outcome.success) node_process.default.exit(1);
 			} else {
 				console.error("Usage: reset --async [--ctx=<base64>] | reset --worker --task-id=<id> [--ctx=<base64>]");
 				node_process.default.exit(1);
@@ -3159,12 +4281,34 @@ async function main() {
 			}
 			const ossFileMapFlag = getFlag(args, "oss_file_map");
 			let installOssFileMap;
-			if (!ossFileMapFlag) installOssFileMap = normalizeCtx(parseCtxFlag(args) ?? await fetchCtxViaInnerApi()).install.ossFileMap;
-			await installOpenclaw(tag, resolveOssFileMap({
+			let rawForTelemetry;
+			if (!ossFileMapFlag) {
+				rawForTelemetry = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
+					populate: planCtxPopulate({ command: "install" }),
+					caller,
+					traceId
+				});
+				installOssFileMap = normalizeCtx(rawForTelemetry).install.ossFileMap;
+			}
+			const ossFileMap = resolveOssFileMap({
 				ossFileMapFlag,
 				installOssFileMap
-			}));
-			console.log(JSON.stringify({ ok: true }));
+			});
+			let success = true;
+			let error;
+			try {
+				await installOpenclaw(tag, ossFileMap);
+			} catch (e) {
+				success = false;
+				error = e;
+			}
+			if (success) console.log(JSON.stringify({ ok: true }));
+			await reportRun("install-openclaw", rc, rawForTelemetry, args.join(" "), Date.now() - t0, {
+				success,
+				result: { tag },
+				error
+			});
+			if (error) throw error;
 			break;
 		}
 		case "install-extension": {
@@ -3180,18 +4324,45 @@ async function main() {
 			const skipConfigUpdate = args.includes("--skip-config-update");
 			const ossFileMapFlag = getFlag(args, "oss_file_map");
 			let installOssFileMap;
-			if (!ossFileMapFlag) installOssFileMap = normalizeCtx(parseCtxFlag(args) ?? await fetchCtxViaInnerApi()).install.ossFileMap;
-			await installExtension(tag, resolveOssFileMap({
+			let rawForTelemetry;
+			if (!ossFileMapFlag) {
+				rawForTelemetry = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
+					populate: planCtxPopulate({ command: "install" }),
+					caller,
+					traceId
+				});
+				installOssFileMap = normalizeCtx(rawForTelemetry).install.ossFileMap;
+			}
+			const ossFileMap = resolveOssFileMap({
 				ossFileMapFlag,
 				installOssFileMap
-			}), {
-				all,
-				names: names.length > 0 ? names : void 0,
-				homeBase,
-				configPath,
-				skipConfigUpdate
 			});
-			console.log(JSON.stringify({ ok: true }));
+			let success = true;
+			let error;
+			try {
+				await installExtension(tag, ossFileMap, {
+					all,
+					names: names.length > 0 ? names : void 0,
+					homeBase,
+					configPath,
+					skipConfigUpdate
+				});
+			} catch (e) {
+				success = false;
+				error = e;
+			}
+			if (success) console.log(JSON.stringify({ ok: true }));
+			await reportRun("install-extension", rc, rawForTelemetry, args.join(" "), Date.now() - t0, {
+				success,
+				result: {
+					tag,
+					all,
+					names,
+					skipConfigUpdate
+				},
+				error
+			});
+			if (error) throw error;
 			break;
 		}
 		case "download-resource": {
@@ -3209,16 +4380,43 @@ async function main() {
 			}
 			const ossFileMapFlag = getFlag(args, "oss_file_map");
 			let installOssFileMap;
-			if (!ossFileMapFlag) installOssFileMap = normalizeCtx(parseCtxFlag(args) ?? await fetchCtxViaInnerApi()).install.ossFileMap;
-			await downloadResource(tag, resolveOssFileMap({
+			let rawForTelemetry;
+			if (!ossFileMapFlag) {
+				rawForTelemetry = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
+					populate: planCtxPopulate({ command: "install" }),
+					caller,
+					traceId
+				});
+				installOssFileMap = normalizeCtx(rawForTelemetry).install.ossFileMap;
+			}
+			const ossFileMap = resolveOssFileMap({
 				ossFileMapFlag,
 				installOssFileMap
-			}), {
-				role,
-				name,
-				dir
 			});
-			console.log(JSON.stringify({ ok: true }));
+			let success = true;
+			let error;
+			try {
+				await downloadResource(tag, ossFileMap, {
+					role,
+					name,
+					dir
+				});
+			} catch (e) {
+				success = false;
+				error = e;
+			}
+			if (success) console.log(JSON.stringify({ ok: true }));
+			await reportRun("download-resource", rc, rawForTelemetry, args.join(" "), Date.now() - t0, {
+				success,
+				result: {
+					tag,
+					role,
+					name,
+					dir
+				},
+				error
+			});
+			if (error) throw error;
 			break;
 		}
 		default:
@@ -3226,10 +4424,12 @@ async function main() {
 			node_process.default.stderr.write(formatTopLevelHelp(helpFlags.expert));
 			node_process.default.exit(1);
 	}
+	console.error(`${mode}: end totalMs=${Date.now() - t0}`);
 }
 main().catch((err) => {
 	const msg = err instanceof Error ? err.message : String(err);
-	console.error(`Error: ${msg}`);
+	console.error(`${mode ?? "<no-mode>"}: error message=${msg}`);
+	node_process.default.stderr.write(`Error: ${msg}\n`);
 	node_process.default.exit(1);
 });
 //#endregion