@lark-apaas/openclaw-scripts-diagnose-cli 0.1.4-alpha.0 → 0.1.4-alpha.2

package/dist/index.cjs

@@ -23,12 +23,12 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 //#endregion
 let node_process = require("node:process");
 node_process = __toESM(node_process);
+let node_path = require("node:path");
+node_path = __toESM(node_path);
 let json5 = require("json5");
 json5 = __toESM(json5);
 let node_fs = require("node:fs");
 node_fs = __toESM(node_fs);
-let node_path = require("node:path");
-node_path = __toESM(node_path);
 let node_child_process = require("node:child_process");
 let node_crypto = require("node:crypto");
 node_crypto = __toESM(node_crypto);
@@ -36,9 +36,26 @@ let node_os = require("node:os");
 node_os = __toESM(node_os);
 let node_stream = require("node:stream");
 let node_stream_promises = require("node:stream/promises");
+let _lark_apaas_http_client = require("@lark-apaas/http-client");
 let node_assert = require("node:assert");
 node_assert = __toESM(node_assert);
-let _lark_apaas_http_client = require("@lark-apaas/http-client");
+let json_diff = require("json-diff");
+//#region src/version.ts
+/**
+* Machine-readable identifier of the running CLI build.
+*
+*   prod build   → "0.1.3"               (the published semver)
+*   local-test   → "local-test@2026-04-28T12:30:11.123Z"
+*
+* Exists separately from `help.ts`'s `versionBanner()`, which is for human
+* display and includes prose like "(local test build, not a published
+* release)". This one goes into telemetry payloads and log slicing — keep
+* it terse and parseable.
+*/
+function getVersion() {
+	return "0.1.4-alpha.2";
+}
+//#endregion
 //#region src/rule-engine/base.ts
 /** Abstract base class for all diagnose rules */
 var DiagnoseRule = class {
@@ -88,6 +105,9 @@ function topoSort(rules) {
 }
 //#endregion
 //#region src/utils.ts
+function getExtensionsDir(configPath) {
+	return node_path.default.join(node_path.default.dirname(configPath), "extensions");
+}
 /**
 * Canonical provider-ref for the feishu app secret. Both
 * `feishu_default_account` (multi-agent path) and `feishu_channel`
@@ -245,6 +265,32 @@ function shell(cmd, timeoutMs = 6e4) {
 	}).trim();
 }
 //#endregion
+//#region src/oc-runtime.ts
+/**
+* 探测 openclaw 运行时版本。能成功跑出版本号 = 已安装且可用。
+*
+* 比单纯 fs.existsSync 路径更可靠：能挡住 dangling symlink、依赖丢失、
+* bin 是错误版本等"看似装好但跑不起来"的状态。
+*
+* 失败（命令缺失 / 解析失败 / 超时）返回 null。
+*/
+function readOpenclawRuntimeVersion() {
+	try {
+		const lines = (0, node_child_process.execSync)("openclaw --version", {
+			encoding: "utf-8",
+			timeout: 5e3,
+			stdio: [
+				"ignore",
+				"pipe",
+				"ignore"
+			]
+		}).split("\n").map((l) => l.trim()).filter(Boolean);
+		return (lines[lines.length - 1]?.match(/(?:OpenClaw\s+)?(\d+\.\d+\.\d+)/))?.[1] ?? null;
+	} catch {
+		return null;
+	}
+}
+//#endregion
 //#region \0@oxc-project+runtime@0.115.0/helpers/decorate.js
 function __decorate(decorators, target, key, desc) {
 	var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
@@ -253,6 +299,33 @@ function __decorate(decorators, target, key, desc) {
 	return c > 3 && r && Object.defineProperty(target, key, r), r;
 }
 //#endregion
+//#region src/rules/openclaw-runtime-missing.ts
+/**
+* doctor 入口最先执行：检查 openclaw 是否已安装且可用（执行 `openclaw --version`）。
+*
+* 触发条件：openclaw 不可用 AND openclaw.json 存在。
+* 配合 `config_file_missing`（reset）形成完整覆盖：
+*   - oc 可用 + config 存在 → 都 pass，进业务规则
+*   - oc 可用 + config 缺   → 仅 config_file_missing fail（reset）
+*   - oc 缺   + config 存在 → 仅本规则 fail（user_confirm: install_openclaw）
+*   - oc 缺   + config 缺   → 仅 config_file_missing fail（reset 同时装 oc + 初始化 config）
+*/
+let OpenclawRuntimeMissingRule = class OpenclawRuntimeMissingRule extends DiagnoseRule {
+	validate(ctx) {
+		if (readOpenclawRuntimeVersion() != null) return { pass: true };
+		if (!node_fs.default.existsSync(ctx.configPath)) return { pass: true };
+		return {
+			pass: false,
+			action: "install_openclaw",
+			message: `openclaw 不可用（无法执行 'openclaw --version'），但 ${ctx.configPath} 已存在；请重新安装 openclaw`
+		};
+	}
+};
+OpenclawRuntimeMissingRule = __decorate([Rule({
+	key: "openclaw_runtime_missing",
+	repairMode: "user-confirm"
+})], OpenclawRuntimeMissingRule);
+//#endregion
 //#region src/rules/multi-process-detect.ts
 let ProcessStatusRule = class ProcessStatusRule extends DiagnoseRule {
 	validate(_ctx) {
@@ -415,7 +488,7 @@ let TemplateVarsUnreplacedRule = class TemplateVarsUnreplacedRule extends Diagno
 		};
 	}
 	repair(ctx) {
-		const map = ctx.templateVars;
+		const map = ctx.vars.templateVars;
 		if (!map || Object.keys(map).length === 0) return;
 		replaceInPlace(ctx.config, Object.entries(map));
 	}
@@ -423,7 +496,8 @@ let TemplateVarsUnreplacedRule = class TemplateVarsUnreplacedRule extends Diagno
 TemplateVarsUnreplacedRule = __decorate([Rule({
 	key: "template_vars_unreplaced",
 	dependsOn: ["config_syntax_check"],
-	repairMode: "standard"
+	repairMode: "standard",
+	usesVars: ["templateVars"]
 })], TemplateVarsUnreplacedRule);
 function collectPlaceholders(value, found) {
 	if (typeof value === "string") {
@@ -466,32 +540,33 @@ function applyVars(str, entries) {
 }
 //#endregion
 //#region src/rules/model-provider.ts
-var _ModelProviderRule;
-let ModelProviderRule = class ModelProviderRule extends DiagnoseRule {
-	static {
-		_ModelProviderRule = this;
-	}
-	static DEFAULT_API_KEY = {
-		source: "file",
-		provider: "miaoda-provider",
-		id: "value"
-	};
-	static DEFAULT_X_API_KEY_HEADER = {
-		source: "file",
-		provider: "miaoda-secret-provider",
-		id: "/models_providers_miaoda_headers_x_api_key"
+const DEFAULT_API_KEY = {
+	source: "file",
+	provider: "miaoda-provider",
+	id: "value"
+};
+const DEFAULT_X_API_KEY_HEADER = {
+	source: "file",
+	provider: "miaoda-secret-provider",
+	id: "/models_providers_miaoda_headers_x_api_key"
+};
+const DEFAULT_API = "openai-completions";
+function getExpected(vars) {
+	return {
+		baseUrl: vars.baseURL + "/api/v1/sgw/model/proxy",
+		apiKey: DEFAULT_API_KEY,
+		api: DEFAULT_API,
+		headers: { "x-api-key": DEFAULT_X_API_KEY_HEADER }
 	};
-	static DEFAULT_API = "openai-completions";
-	static getExpectedBaseUrl(vars) {
-		return vars.baseURL + "/api/v1/sgw/model/proxy";
-	}
+}
+let ModelProviderRule = class ModelProviderRule extends DiagnoseRule {
 	validate(ctx) {
 		const provider = getNestedMap(ctx.config, "models", "providers", "miaoda");
 		if (!provider) return {
 			pass: false,
 			message: "models.providers.miaoda not found"
 		};
-		const expected = this.getExpected(ctx.vars);
+		const expected = getExpected(ctx.vars);
 		if (provider.baseUrl !== expected.baseUrl) return {
 			pass: false,
 			message: "baseUrl mismatch: got " + provider.baseUrl + ", expected " + expected.baseUrl
@@ -539,7 +614,7 @@ let ModelProviderRule = class ModelProviderRule extends DiagnoseRule {
 		return { pass: true };
 	}
 	repair(ctx) {
-		const expected = this.getExpected(ctx.vars);
+		const expected = getExpected(ctx.vars);
 		setNestedValue(ctx.config, [
 			"models",
 			"providers",
@@ -565,19 +640,12 @@ let ModelProviderRule = class ModelProviderRule extends DiagnoseRule {
 			"headers"
 		], expected.headers);
 	}
-	getExpected(vars) {
-		return {
-			baseUrl: _ModelProviderRule.getExpectedBaseUrl(vars),
-			apiKey: _ModelProviderRule.DEFAULT_API_KEY,
-			api: _ModelProviderRule.DEFAULT_API,
-			headers: { "x-api-key": _ModelProviderRule.DEFAULT_X_API_KEY_HEADER }
-		};
-	}
 };
-ModelProviderRule = _ModelProviderRule = __decorate([Rule({
+ModelProviderRule = __decorate([Rule({
 	key: "model_provider",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
+	usesVars: ["innerAPIKey", "baseURL"],
 	skipWhen: ({ hasMiaoda }) => !hasMiaoda
 })], ModelProviderRule);
 //#endregion
@@ -707,7 +775,8 @@ let FeishuChannelRule = class FeishuChannelRule extends DiagnoseRule {
 FeishuChannelRule = __decorate([Rule({
 	key: "feishu_channel",
 	dependsOn: ["config_syntax_check", "feishu_default_account"],
-	repairMode: "standard"
+	repairMode: "standard",
+	usesVars: ["feishuAppID", "feishuAppSecret"]
 })], FeishuChannelRule);
 //#endregion
 //#region src/rules/feishu-default-account.ts
@@ -848,7 +917,8 @@ let FeishuDefaultAccountRule = class FeishuDefaultAccountRule extends DiagnoseRu
 FeishuDefaultAccountRule = __decorate([Rule({
 	key: "feishu_default_account",
 	dependsOn: ["config_syntax_check"],
-	repairMode: "standard"
+	repairMode: "standard",
+	usesVars: ["feishuAppID", "teamChatID"]
 })], FeishuDefaultAccountRule);
 function nonEmpty(v) {
 	return typeof v === "string" && v !== "" ? v : void 0;
@@ -879,23 +949,19 @@ function secretMatchesCanonical(secret) {
 }
 //#endregion
 //#region src/rules/gateway.ts
-var _GatewayRule;
+const DEFAULT_PORT = 18789;
+const DEFAULT_MODE = "local";
+const DEFAULT_BIND = "loopback";
+const DEFAULT_AUTH_MODE = "token";
+const DEFAULT_AUTH_TOKEN = {
+	source: "file",
+	provider: "miaoda-secret-provider",
+	id: "/gateway_auth_token"
+};
+/** Required entries in gateway.trustedProxies. Repair appends any missing
+*  entries while preserving caller-added extras (no overwrite). */
+const DEFAULT_TRUSTED_PROXIES = ["::1", "127.0.0.1"];
 let GatewayRule = class GatewayRule extends DiagnoseRule {
-	static {
-		_GatewayRule = this;
-	}
-	static DEFAULT_PORT = 18789;
-	static DEFAULT_MODE = "local";
-	static DEFAULT_BIND = "loopback";
-	static DEFAULT_AUTH_MODE = "token";
-	static DEFAULT_AUTH_TOKEN = {
-		source: "file",
-		provider: "miaoda-secret-provider",
-		id: "/gateway_auth_token"
-	};
-	/** Required entries in gateway.trustedProxies. Repair appends any missing
-	*  entries while preserving caller-added extras (no overwrite). */
-	static DEFAULT_TRUSTED_PROXIES = ["::1", "127.0.0.1"];
 	validate(ctx) {
 		const gateway = ctx.config.gateway;
 		if (!gateway || typeof gateway !== "object") return {
@@ -903,17 +969,17 @@ let GatewayRule = class GatewayRule extends DiagnoseRule {
 			message: "gateway not found"
 		};
 		const gw = gateway;
-		if (gw.port !== _GatewayRule.DEFAULT_PORT) return {
+		if (gw.port !== DEFAULT_PORT) return {
 			pass: false,
-			message: "gateway.port mismatch: got " + gw.port + ", expected " + _GatewayRule.DEFAULT_PORT
+			message: "gateway.port mismatch: got " + gw.port + ", expected 18789"
 		};
-		if (gw.mode !== _GatewayRule.DEFAULT_MODE) return {
+		if (gw.mode !== DEFAULT_MODE) return {
 			pass: false,
-			message: "gateway.mode mismatch: got " + gw.mode + ", expected " + _GatewayRule.DEFAULT_MODE
+			message: "gateway.mode mismatch: got " + gw.mode + ", expected local"
 		};
-		if (gw.bind !== _GatewayRule.DEFAULT_BIND) return {
+		if (gw.bind !== DEFAULT_BIND) return {
 			pass: false,
-			message: "gateway.bind mismatch: got " + gw.bind + ", expected " + _GatewayRule.DEFAULT_BIND
+			message: "gateway.bind mismatch: got " + gw.bind + ", expected loopback"
 		};
 		const auth = gw.auth;
 		if (!auth || typeof auth !== "object") return {
@@ -921,9 +987,9 @@ let GatewayRule = class GatewayRule extends DiagnoseRule {
 			message: "gateway.auth not found"
 		};
 		const authObj = auth;
-		if (authObj.mode !== _GatewayRule.DEFAULT_AUTH_MODE) return {
+		if (authObj.mode !== DEFAULT_AUTH_MODE) return {
 			pass: false,
-			message: "gateway.auth.mode mismatch: got " + authObj.mode + ", expected " + _GatewayRule.DEFAULT_AUTH_MODE
+			message: "gateway.auth.mode mismatch: got " + authObj.mode + ", expected token"
 		};
 		const token = authObj.token;
 		if (typeof token === "string") {
@@ -932,7 +998,7 @@ let GatewayRule = class GatewayRule extends DiagnoseRule {
 				message: "gateway.auth.token string value mismatch"
 			};
 		} else if (typeof token === "object" && token !== null && !Array.isArray(token)) {
-			if (!matchMap(token, _GatewayRule.DEFAULT_AUTH_TOKEN)) return {
+			if (!matchMap(token, DEFAULT_AUTH_TOKEN)) return {
 				pass: false,
 				message: "gateway.auth.token object mismatch: got " + JSON.stringify(token)
 			};
@@ -954,7 +1020,7 @@ let GatewayRule = class GatewayRule extends DiagnoseRule {
 			pass: false,
 			message: "gateway.trustedProxies missing or not an array"
 		};
-		const missing = _GatewayRule.DEFAULT_TRUSTED_PROXIES.filter((p) => !proxies.includes(p));
+		const missing = DEFAULT_TRUSTED_PROXIES.filter((p) => !proxies.includes(p));
 		if (missing.length > 0) return {
 			pass: false,
 			message: "gateway.trustedProxies missing: " + JSON.stringify(missing)
@@ -962,19 +1028,19 @@ let GatewayRule = class GatewayRule extends DiagnoseRule {
 		return { pass: true };
 	}
 	repair(ctx) {
-		setNestedValue(ctx.config, ["gateway", "port"], _GatewayRule.DEFAULT_PORT);
-		setNestedValue(ctx.config, ["gateway", "mode"], _GatewayRule.DEFAULT_MODE);
-		setNestedValue(ctx.config, ["gateway", "bind"], _GatewayRule.DEFAULT_BIND);
+		setNestedValue(ctx.config, ["gateway", "port"], DEFAULT_PORT);
+		setNestedValue(ctx.config, ["gateway", "mode"], DEFAULT_MODE);
+		setNestedValue(ctx.config, ["gateway", "bind"], DEFAULT_BIND);
 		setNestedValue(ctx.config, [
 			"gateway",
 			"auth",
 			"mode"
-		], _GatewayRule.DEFAULT_AUTH_MODE);
+		], DEFAULT_AUTH_MODE);
 		setNestedValue(ctx.config, [
 			"gateway",
 			"auth",
 			"token"
-		], _GatewayRule.DEFAULT_AUTH_TOKEN);
+		], DEFAULT_AUTH_TOKEN);
 		setNestedValue(ctx.config, [
 			"gateway",
 			"controlUi",
@@ -983,17 +1049,18 @@ let GatewayRule = class GatewayRule extends DiagnoseRule {
 		const gw = ctx.config.gateway ?? {};
 		const current = Array.isArray(gw.trustedProxies) ? gw.trustedProxies.slice() : [];
 		const seen = new Set(current.map((v) => String(v)));
-		for (const p of _GatewayRule.DEFAULT_TRUSTED_PROXIES) if (!seen.has(p)) {
+		for (const p of DEFAULT_TRUSTED_PROXIES) if (!seen.has(p)) {
 			current.push(p);
 			seen.add(p);
 		}
 		setNestedValue(ctx.config, ["gateway", "trustedProxies"], current);
 	}
 };
-GatewayRule = _GatewayRule = __decorate([Rule({
+GatewayRule = __decorate([Rule({
 	key: "gateway",
 	dependsOn: ["config_syntax_check"],
-	repairMode: "standard"
+	repairMode: "standard",
+	usesVars: ["gatewayToken"]
 })], GatewayRule);
 //#endregion
 //#region src/rules/allowed-origins.ts
@@ -1037,7 +1104,8 @@ let AllowedOriginsRule = class AllowedOriginsRule extends DiagnoseRule {
 AllowedOriginsRule = __decorate([Rule({
 	key: "allowed_origins",
 	dependsOn: ["config_syntax_check"],
-	repairMode: "standard"
+	repairMode: "standard",
+	usesVars: ["expectedOrigins"]
 })], AllowedOriginsRule);
 function getExpectedOrigins(vars) {
 	return Array.isArray(vars.expectedOrigins) ? vars.expectedOrigins : [];
@@ -1116,11 +1184,12 @@ JwtTokenRule = __decorate([Rule({
 	key: "jwt_token",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
+	usesVars: ["providerFilePath"],
 	skipWhen: ({ hasMiaoda, deps }) => !hasMiaoda || !deps.usesMiaodaProvider
 })], JwtTokenRule);
 //#endregion
 //#region src/rules/secrets-file.ts
-let SecretsRule = class SecretsRule extends DiagnoseRule {
+let SecretsFileRule = class SecretsFileRule extends DiagnoseRule {
 	validate(ctx) {
 		const filePath = ctx.vars.secretsFilePath;
 		if (!filePath) return {
@@ -1167,12 +1236,18 @@ let SecretsRule = class SecretsRule extends DiagnoseRule {
 		};
 	}
 };
-SecretsRule = __decorate([Rule({
+SecretsFileRule = __decorate([Rule({
 	key: "secrets_file",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
+	usesVars: [
+		"secretsFilePath",
+		"feishuAppSecret",
+		"gatewayToken",
+		"innerAPIKey"
+	],
 	skipWhen: ({ hasMiaoda, deps }) => !hasMiaoda || !deps.usesMiaodaSecretProvider
-})], SecretsRule);
+})], SecretsFileRule);
 //#endregion
 //#region src/rules/cleanup-install-backup-dirs.ts
 const DIR_PREFIX = ".openclaw-install-";
@@ -1293,9 +1368,6 @@ function getPluginMaps(config) {
 		allow: Array.isArray(rawAllow) ? rawAllow : void 0
 	};
 }
-function getExtensionsDir(configPath) {
-	return node_path.default.join(node_path.default.dirname(configPath), "extensions");
-}
 function hasNewMiaoda({ entries, installs, allow }) {
 	return asRecord(entries?.[NEW_MIAODA]) != null || asRecord(installs?.[NEW_MIAODA]) != null || (allow?.includes(NEW_MIAODA) ?? false);
 }
@@ -1385,293 +1457,139 @@ function getAllow(config) {
 	return allow.filter((e) => typeof e === "string");
 }
 //#endregion
-//#region src/check.ts
-function runCheck(input) {
-	const result = { failedRules: {
-		standard: [],
-		ai: [],
-		reset: []
-	} };
-	const disabledSet = new Set(input.disabledRules || []);
-	const rules = getAllRules();
-	const failedKeys = /* @__PURE__ */ new Set();
-	let configParsed = false;
-	let ctx = {
-		config: {},
-		configPath: input.configPath,
-		vars: input.vars,
-		providerDeps: {
-			usesMiaodaProvider: false,
-			usesMiaodaSecretProvider: false
-		},
-		templateVars: input.templateVars
-	};
-	for (const rule of rules) {
-		const meta = rule.meta;
-		if (disabledSet.has(meta.key)) continue;
-		if (meta.dependsOn?.some((dep) => failedKeys.has(dep))) continue;
-		if (meta.dependsOn?.includes("config_syntax_check") && !configParsed) try {
-			const parsed = loadJSON5().parse(readFile(input.configPath));
-			const deps = analyzeProviderDeps(parsed);
-			ctx = {
-				config: parsed,
-				configPath: input.configPath,
-				vars: input.vars,
-				providerDeps: deps,
-				templateVars: input.templateVars
-			};
-			configParsed = true;
-		} catch {
-			break;
-		}
-		if (meta.skipWhen && configParsed) {
-			const hasMiaoda = shouldCheckMiaodaRules(ctx.config);
-			if (meta.skipWhen({
-				hasMiaoda,
-				deps: ctx.providerDeps
-			})) continue;
-		}
-		const r = rule.validate(ctx);
-		if (!r.pass) {
-			failedKeys.add(meta.key);
-			pushFailedRule(result, meta.repairMode, meta.key, r.message || "");
-		}
-	}
-	return result;
-}
-function pushFailedRule(result, repairMode, key, detail) {
-	switch (repairMode) {
-		case "standard":
-			result.failedRules.standard.push(key);
-			break;
-		case "ai":
-			result.failedRules.ai.push({
-				rule_name: key,
-				detail
-			});
-			break;
-		case "reset":
-			result.failedRules.reset.push({
-				rule_name: key,
-				detail
-			});
-			break;
-	}
-}
-//#endregion
-//#region src/repair.ts
-function runRepair(input) {
+//#region src/fs-utils.ts
+/**
+* Rename src → dst, falling back to `mv` (which handles cross-device copy)
+* when the kernel returns EXDEV.
+*
+* Sandbox filesystems can put sibling paths on different "devices" from
+* rename(2)'s point of view: bind mounts, overlayfs copy-up, and
+* mount-point children inside a single directory all trip EXDEV. Seen in
+* production when reset's atomic swap did
+*   /home/gem/.npm-global/lib/node_modules/openclaw → openclaw.bak
+* and the openclaw subdir was a bind-mounted volume.
+*
+* Behavior:
+*   - Happy path hits rename(2) — atomic, single syscall, microseconds.
+*   - EXDEV path shells out to `mv`, which does rename() then copy+unlink
+*     on failure. Non-atomic but correct; callers already have rollback
+*     logic (install-openclaw restores from .bak) so loss of atomicity
+*     only matters if the process dies mid-copy, and that's survivable.
+*   - Any other error (ENOENT, EACCES, EBUSY...) rethrows as-is so callers
+*     see the real problem instead of a misleading `mv` fallback failure.
+*/
+function moveSafe(src, dst) {
 	try {
-		const failedSet = new Set(input.failedRules || []);
-		const repairData = input.repairData || {};
-		const rules = getAllRules();
-		for (const rule of rules) {
-			if (!failedSet.has(rule.meta.key)) continue;
-			if (rule.meta.repairMode !== "standard") continue;
-			if (rule.meta.dependsOn?.includes("config_syntax_check")) continue;
-			rule.repair({
-				config: {},
-				configPath: input.configPath,
-				vars: input.vars,
-				providerDeps: {
-					usesMiaodaProvider: false,
-					usesMiaodaSecretProvider: false
-				},
-				templateVars: input.templateVars
-			});
-		}
-		const JSON5 = loadJSON5();
-		let config;
-		try {
-			config = JSON5.parse(readFile(input.configPath));
-		} catch (e) {
-			return {
-				success: false,
-				error: "cannot parse config for repair: " + e.message
-			};
-		}
-		const deps = analyzeProviderDeps(config);
-		const ctx = {
-			config,
-			configPath: input.configPath,
-			vars: input.vars,
-			providerDeps: deps,
-			templateVars: input.templateVars
-		};
-		let configDirty = false;
-		for (const rule of rules) {
-			if (!failedSet.has(rule.meta.key)) continue;
-			if (rule.meta.repairMode !== "standard") continue;
-			if (!rule.meta.dependsOn?.includes("config_syntax_check")) continue;
-			rule.repair(ctx);
-			configDirty = true;
-		}
-		if (configDirty) writeFile(input.configPath, JSON.stringify(config, null, 2));
-		if (repairData.secretsContent && input.vars.secretsFilePath) writeFile(input.vars.secretsFilePath, repairData.secretsContent);
-		if (repairData.providerKeyContent && input.vars.providerFilePath) writeFile(input.vars.providerFilePath, repairData.providerKeyContent);
-		if (repairData.restartCommand) try {
-			shell(repairData.restartCommand, 3e4);
-		} catch (e) {
-			return {
-				success: false,
-				error: "restart command failed: " + e.message
-			};
-		}
-		return { success: true };
+		node_fs.default.renameSync(src, dst);
 	} catch (e) {
-		return {
-			success: false,
-			error: "repair failed: " + e.message
-		};
+		if (e?.code !== "EXDEV") throw e;
+		execCaptureErr(`mv ${shellQuote(src)} ${shellQuote(dst)}`);
 	}
 }
-//#endregion
-//#region src/paths.ts
 /**
-* Central directory for all ephemeral diagnose/reset artifacts: task status
-* files (`reset-<taskId>.json`) and human-readable step logs
-* (`reset-<taskId>.log`). Having everything under one dir makes debugging a
-* stuck reset much easier — `ls /tmp/openclaw-diagnose/` shows every recent
-* run, and each run's log is right next to its state.
+* Run a shell command, re-throwing with stderr attached on failure.
+*
+* Node's `execSync(..., { stdio: 'ignore' })` swallows stderr entirely —
+* callers only see "Command failed: <cmd>" with no hint of the real error
+* (ENOSPC, EROFS, "unrecognized option", etc.). Production debugging on
+* sandboxed boxes is painful without the underlying message, so we pipe
+* stderr, capture it, and embed it in the thrown Error. stdout stays
+* suppressed because the commands we run here (tar/mv) are silent on
+* success.
 */
-const DIAGNOSE_DIR = "/tmp/openclaw-diagnose";
-function resetResultFile(taskId) {
-	return `${DIAGNOSE_DIR}/reset-${taskId}.json`;
+function execCaptureErr(cmd) {
+	try {
+		(0, node_child_process.execSync)(cmd, { stdio: [
+			"ignore",
+			"ignore",
+			"pipe"
+		] });
+	} catch (e) {
+		const stderr = e?.stderr;
+		const stderrStr = (typeof stderr === "string" ? stderr : stderr?.toString("utf8") ?? "").trim();
+		const base = e?.message ?? "command failed";
+		throw new Error(stderrStr ? `${base}\nstderr: ${stderrStr}` : base);
+	}
 }
-function resetLogFile(taskId) {
-	return `${DIAGNOSE_DIR}/reset-${taskId}.log`;
+/** POSIX single-quote shell escape. Paths with embedded quotes are rare but
+*  the token-file path conventions in sandboxes don't guarantee cleanliness. */
+function shellQuote(s) {
+	return `'${s.replace(/'/g, `'\\''`)}'`;
 }
-/** Sandbox workspace root where openclaw config + agent state lives. */
-const WORKSPACE_DIR = "/home/gem/workspace/agent";
-/** File containing the provider key used by the openclaw miaoda provider. */
-const PROVIDER_FILE_PATH = "/home/gem/workspace/.force/openclaw/miaoda-provider-key";
-/** File containing the miaoda openclaw secrets JSON. */
-const SECRETS_FILE_PATH = "/home/gem/workspace/.force/openclaw/miaoda-openclaw-secrets.json";
-/** Absolute path to the openclaw config JSON. */
-const CONFIG_PATH = `${WORKSPACE_DIR}/openclaw.json`;
-//#endregion
-//#region src/logger.ts
 /**
-* Shared CLI log file. Every log line the CLI emits — whether through
-* `console.error` (rules, helpers, errors) or through the per-task
-* `makeLogger` (reset worker) — is tee'd here so operators have a single
-* file to tail when diagnosing a sandbox.
+* Recursively remove a path, retrying on transient overlayfs races.
 *
-* `/tmp` is ephemeral on sandbox restart; we rely on that for rotation
-* (no size-based rotation implemented).
-*/
-const CLI_LOG_FILE = "/tmp/openclaw-diagnose/cli.log";
-/** Append one line to the shared cli.log. Swallows any fs error —
-*  logging must never break the business flow. */
-function appendCliLog(line) {
-	try {
-		const dir = node_path.default.dirname(CLI_LOG_FILE);
-		if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
-		node_fs.default.appendFileSync(CLI_LOG_FILE, line);
-	} catch {}
-}
-let stderrMirrorInstalled = false;
-/**
-* Install a process-wide `console.error` interceptor that mirrors each
-* line to BOTH the original stderr AND cli.log. Call once at CLI entry
-* before any subcommand dispatch; idempotent.
+* `fs.rmSync(..., { recursive: true, force: true })` walks the tree
+* issuing rmdir() per directory. On overlayfs (sandbox containers) a
+* just-emptied subdir can return EAGAIN/EBUSY/ENOTEMPTY for a short
+* window before whiteout propagation finishes — even though every
+* child has been unlinked. Same family of races as the tar/rename
+* issue handled by extractTarballTolerant + the install-openclaw
+* tmpfs swap.
 *
-* Why console.error and not console.log: the CLI's stdout carries the
-* structured JSON result protocol consumed by sandbox_console and other
-* callers — any log line on stdout would corrupt JSON parsing. Rules,
-* helpers, and error paths therefore must route debug output through
-* console.error (stderr).
+* Retries with linear backoff (50 → 250 → 750 ms). Any non-transient
+* error (EACCES, EROFS, ENOSPC...) bubbles immediately. Returns true
+* if the path is absent at the end (success or never existed).
 */
-function installStderrMirror() {
-	if (stderrMirrorInstalled) return;
-	stderrMirrorInstalled = true;
-	const original = console.error.bind(console);
-	console.error = (...args) => {
-		original(...args);
-		const body = args.map((a) => typeof a === "string" ? a : safeStringify(a)).join(" ");
-		appendCliLog(`[${(/* @__PURE__ */ new Date()).toISOString()}] ${body}\n`);
-	};
-}
-function safeStringify(v) {
-	try {
-		return JSON.stringify(v);
-	} catch {
-		return String(v);
+function rmrfTolerant(target) {
+	if (!node_fs.default.existsSync(target)) return true;
+	const transient = new Set([
+		"EAGAIN",
+		"EBUSY",
+		"ENOTEMPTY"
+	]);
+	const delaysMs = [
+		50,
+		250,
+		750
+	];
+	for (let attempt = 0; attempt <= delaysMs.length; attempt++) try {
+		node_fs.default.rmSync(target, {
+			recursive: true,
+			force: true
+		});
+		return true;
+	} catch (e) {
+		const code = e.code ?? "";
+		if (!transient.has(code) || attempt === delaysMs.length) throw e;
+		(0, node_child_process.execSync)(`sleep ${delaysMs[attempt] / 1e3}`);
 	}
+	return !node_fs.default.existsSync(target);
 }
-function makeLogger(logFile) {
-	try {
-		const dir = node_path.default.dirname(logFile);
-		if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
-	} catch {}
-	return (msg) => {
-		const line = `[${(/* @__PURE__ */ new Date()).toISOString()}] ${msg}\n`;
-		try {
-			node_fs.default.appendFileSync(logFile, line);
-		} catch {}
-		appendCliLog(line);
-	};
-}
-//#endregion
-//#region src/fs-utils.ts
 /**
-* Rename src → dst, falling back to `mv` (which handles cross-device copy)
-* when the kernel returns EXDEV.
+* Snapshot the current `openclaw.json` to `<configPath>.<YYYYMMDD_HHMMSS>.bak`
+* before a repair / fix flow rewrites it. Local-time stamp matches the
+* shell-style backup convention (`cp openclaw.json openclaw.json.$(date
+* +%Y%m%d_%H%M%S).bak`) so operators triaging on the sandbox see the
+* familiar filename pattern.
 *
-* Sandbox filesystems can put sibling paths on different "devices" from
-* rename(2)'s point of view: bind mounts, overlayfs copy-up, and
-* mount-point children inside a single directory all trip EXDEV. Seen in
-* production when reset's atomic swap did
-*   /home/gem/.npm-global/lib/node_modules/openclaw → openclaw.bak
-* and the openclaw subdir was a bind-mounted volume.
+* Returns the absolute backup path on success, or `null` when:
+*   - source doesn't exist (first-time setup; nothing to back up)
+*   - copy fails for any reason (disk full, permission denied, etc.)
 *
-* Behavior:
-*   - Happy path hits rename(2) — atomic, single syscall, microseconds.
-*   - EXDEV path shells out to `mv`, which does rename() then copy+unlink
-*     on failure. Non-atomic but correct; callers already have rollback
-*     logic (install-openclaw restores from .bak) so loss of atomicity
-*     only matters if the process dies mid-copy, and that's survivable.
-*   - Any other error (ENOENT, EACCES, EBUSY...) rethrows as-is so callers
-*     see the real problem instead of a misleading `mv` fallback failure.
+* Failure is logged to cli.log via console.error and swallowed — the
+* caller's repair/fix work goes ahead either way. The backup is a safety
+* net, not a correctness gate; better to do the repair than refuse over
+* a missing rollback file.
 */
-function moveSafe(src, dst) {
-	try {
-		node_fs.default.renameSync(src, dst);
-	} catch (e) {
-		if (e?.code !== "EXDEV") throw e;
-		execCaptureErr(`mv ${shellQuote(src)} ${shellQuote(dst)}`);
+function backupConfigSync(configPath) {
+	if (!node_fs.default.existsSync(configPath)) {
+		console.error(`backupConfigSync: skip — source missing path=${configPath}`);
+		return null;
 	}
-}
-/**
-* Run a shell command, re-throwing with stderr attached on failure.
-*
-* Node's `execSync(..., { stdio: 'ignore' })` swallows stderr entirely —
-* callers only see "Command failed: <cmd>" with no hint of the real error
-* (ENOSPC, EROFS, "unrecognized option", etc.). Production debugging on
-* sandboxed boxes is painful without the underlying message, so we pipe
-* stderr, capture it, and embed it in the thrown Error. stdout stays
-* suppressed because the commands we run here (tar/mv) are silent on
-* success.
-*/
-function execCaptureErr(cmd) {
+	const d = /* @__PURE__ */ new Date();
+	const pad = (n) => String(n).padStart(2, "0");
+	const backupPath = `${configPath}.${`${d.getFullYear()}${pad(d.getMonth() + 1)}${pad(d.getDate())}_${pad(d.getHours())}${pad(d.getMinutes())}${pad(d.getSeconds())}`}.bak`;
 	try {
-		(0, node_child_process.execSync)(cmd, { stdio: [
-			"ignore",
-			"ignore",
-			"pipe"
-		] });
+		node_fs.default.copyFileSync(configPath, backupPath);
+		const bytes = node_fs.default.statSync(backupPath).size;
+		console.error(`backupConfigSync: ok src=${configPath} dst=${backupPath} bytes=${bytes}`);
+		return backupPath;
 	} catch (e) {
-		const stderr = e?.stderr;
-		const stderrStr = (typeof stderr === "string" ? stderr : stderr?.toString("utf8") ?? "").trim();
-		const base = e?.message ?? "command failed";
-		throw new Error(stderrStr ? `${base}\nstderr: ${stderrStr}` : base);
+		console.error(`backupConfigSync: failed src=${configPath} message=${e.message}`);
+		return null;
 	}
 }
-/** POSIX single-quote shell escape. Paths with embedded quotes are rare but
-*  the token-file path conventions in sandboxes don't guarantee cleanliness. */
-function shellQuote(s) {
-	return `'${s.replace(/'/g, `'\\''`)}'`;
-}
 /**
 * Extract an npm-packed gzipped tarball.
 *
@@ -1746,6 +1664,971 @@ function extractTarballTolerant(tarball, destDir, opts = {}) {
 	}
 }
 //#endregion
+//#region src/rules/feishu-plugin-state-normalize.ts
+const PLUGIN_NAME$1 = "openclaw-lark";
+const BUILTIN_FEISHU = "feishu";
+const LEGACY_PLUGIN_NAME = "feishu-openclaw-plugin";
+const LEGACY_DIRS_TO_REMOVE = [LEGACY_PLUGIN_NAME, BUILTIN_FEISHU];
+const FEISHU_TOOLS = Object.freeze([
+	"feishu_bitable_app",
+	"feishu_bitable_app_table",
+	"feishu_bitable_app_table_field",
+	"feishu_bitable_app_table_record",
+	"feishu_bitable_app_table_view",
+	"feishu_calendar_calendar",
+	"feishu_calendar_event",
+	"feishu_calendar_event_attendee",
+	"feishu_calendar_freebusy",
+	"feishu_chat",
+	"feishu_chat_members",
+	"feishu_create_doc",
+	"feishu_doc_comments",
+	"feishu_doc_media",
+	"feishu_drive_file",
+	"feishu_fetch_doc",
+	"feishu_get_user",
+	"feishu_im_bot_image",
+	"feishu_im_user_fetch_resource",
+	"feishu_im_user_get_messages",
+	"feishu_im_user_get_thread_messages",
+	"feishu_im_user_message",
+	"feishu_im_user_search_messages",
+	"feishu_oauth",
+	"feishu_oauth_batch_auth",
+	"feishu_search_doc_wiki",
+	"feishu_search_user",
+	"feishu_sheet",
+	"feishu_task_comment",
+	"feishu_task_subtask",
+	"feishu_task_task",
+	"feishu_task_tasklist",
+	"feishu_update_doc",
+	"feishu_wiki_space",
+	"feishu_wiki_space_node"
+]);
+/**
+* 飞书插件状态规范化：fs 上 <extDir>/openclaw-lark/ 已落盘后统一收尾环境。
+* 各 fail 与 repair 一一对应，详见 fails.push(...) 字符串与 repair() 调用。
+*/
+let FeishuPluginStateNormalizeRule = class FeishuPluginStateNormalizeRule extends DiagnoseRule {
+	validate(ctx) {
+		if (!isPluginInstalled(ctx)) return { pass: true };
+		const fails = [];
+		if (!isNewPluginEnabled(ctx.config)) fails.push(`plugins.entries["${PLUGIN_NAME$1}"].enabled !== true（应启用）`);
+		if (isBuiltinFeishuEnabled(ctx.config)) fails.push("plugins.entries.feishu.enabled === true（应禁用）");
+		if (isTopLevelMissingFeishuTools(ctx.config)) fails.push("tools.alsoAllow 缺 feishu_* tools");
+		const legacyResiduals = findLegacyResiduals(ctx);
+		if (legacyResiduals.length > 0) fails.push(`legacy 飞书插件残留：${legacyResiduals.join(", ")}`);
+		if (fails.length === 0) return { pass: true };
+		return {
+			pass: false,
+			message: fails.join("；")
+		};
+	}
+	repair(ctx) {
+		setEntryEnabled(ctx.config, PLUGIN_NAME$1, true);
+		setEntryEnabled(ctx.config, BUILTIN_FEISHU, false);
+		ensureFeishuTools(ctx.config);
+		cleanupLegacyResiduals(ctx);
+	}
+};
+FeishuPluginStateNormalizeRule = __decorate([Rule({
+	key: "feishu_plugin_state_normalize",
+	dependsOn: ["config_syntax_check"],
+	repairMode: "standard"
+})], FeishuPluginStateNormalizeRule);
+function isPluginInstalled(ctx) {
+	return node_fs.default.existsSync(node_path.default.join(getExtensionsDir(ctx.configPath), PLUGIN_NAME$1));
+}
+function isNewPluginEnabled(config) {
+	return asRecord(getNestedMap(config, "plugins", "entries")?.[PLUGIN_NAME$1])?.enabled === true;
+}
+function isBuiltinFeishuEnabled(config) {
+	return asRecord(getNestedMap(config, "plugins", "entries")?.[BUILTIN_FEISHU])?.enabled === true;
+}
+/** 仅看顶层 tools.alsoAllow——agent 级 alsoAllow 是用户对单 agent 的精细化授权，doctor 不动。
+*  含 "*" 或任一 feishu_* 即视为已配。 */
+function isTopLevelMissingFeishuTools(config) {
+	return !hasFeishuTool(readAlsoAllow(config));
+}
+function readAlsoAllow(host) {
+	const tools = asRecord(host)?.tools;
+	const arr = asRecord(tools)?.alsoAllow;
+	if (!Array.isArray(arr)) return [];
+	return arr.filter((e) => typeof e === "string");
+}
+function hasFeishuTool(alsoAllow) {
+	if (alsoAllow.includes("*")) return true;
+	return alsoAllow.some((t) => FEISHU_TOOLS.includes(t));
+}
+function findLegacyResiduals(ctx) {
+	const found = [];
+	const plugins = asRecord(ctx.config.plugins);
+	if (asRecord(plugins?.entries)?.[LEGACY_PLUGIN_NAME] != null) found.push("entries[legacy]");
+	const allow = plugins?.allow;
+	if (Array.isArray(allow) && allow.includes(LEGACY_PLUGIN_NAME)) found.push("allow[legacy]");
+	if (asRecord(plugins?.installs)?.[LEGACY_PLUGIN_NAME] != null) found.push("installs[legacy]");
+	const extDir = getExtensionsDir(ctx.configPath);
+	for (const name of LEGACY_DIRS_TO_REMOVE) if (node_fs.default.existsSync(node_path.default.join(extDir, name))) found.push(`fs/${name}`);
+	return found;
+}
+function setEntryEnabled(config, key, enabled) {
+	const entries = ensureRecord(ensureRecord(config, "plugins"), "entries");
+	entries[key] = {
+		...asRecord(entries[key]) ?? {},
+		enabled
+	};
+}
+function ensureFeishuTools(config) {
+	const alsoAllow = readAlsoAllow(config);
+	if (hasFeishuTool(alsoAllow)) return;
+	ensureRecord(config, "tools").alsoAllow = [...new Set([...alsoAllow, ...FEISHU_TOOLS])];
+}
+function cleanupLegacyResiduals(ctx) {
+	const plugins = asRecord(ctx.config.plugins);
+	if (plugins) {
+		const entries = asRecord(plugins.entries);
+		if (entries && LEGACY_PLUGIN_NAME in entries) delete entries[LEGACY_PLUGIN_NAME];
+		const installs = asRecord(plugins.installs);
+		if (installs && LEGACY_PLUGIN_NAME in installs) delete installs[LEGACY_PLUGIN_NAME];
+		const allow = plugins.allow;
+		if (Array.isArray(allow)) {
+			for (let i = allow.length - 1; i >= 0; i--) if (allow[i] === LEGACY_PLUGIN_NAME) allow.splice(i, 1);
+			if (!allow.includes(PLUGIN_NAME$1)) allow.push(PLUGIN_NAME$1);
+		}
+	}
+	const extDir = getExtensionsDir(ctx.configPath);
+	for (const name of LEGACY_DIRS_TO_REMOVE) {
+		const target = node_path.default.join(extDir, name);
+		const rel = node_path.default.relative(extDir, target);
+		if (!rel || rel.startsWith("..") || node_path.default.isAbsolute(rel)) continue;
+		try {
+			rmrfTolerant(target);
+		} catch (e) {
+			console.error(`[feishu_plugin_state_normalize] rmrf ${target} failed: ${e.message}`);
+		}
+	}
+}
+function ensureRecord(obj, key) {
+	const cur = obj[key];
+	if (cur != null && typeof cur === "object" && !Array.isArray(cur)) return cur;
+	const fresh = {};
+	obj[key] = fresh;
+	return fresh;
+}
+//#endregion
+//#region src/version-compat.ts
+const VERSION_COMPAT_MAP = Object.freeze([
+	{
+		openclawLarkVersion: "2026.4.8",
+		minOpenclawVersion: "2026.3.28"
+	},
+	{
+		openclawLarkVersion: "2026.4.7",
+		minOpenclawVersion: "2026.3.28"
+	},
+	{
+		openclawLarkVersion: "2026.4.1",
+		minOpenclawVersion: "2026.3.28"
+	},
+	{
+		openclawLarkVersion: "2026.3.31",
+		minOpenclawVersion: "2026.3.28"
+	},
+	{
+		openclawLarkVersion: "2026.3.30",
+		minOpenclawVersion: "2026.3.28"
+	},
+	{
+		openclawLarkVersion: "2026.3.29",
+		minOpenclawVersion: "2026.3.28"
+	},
+	{
+		openclawLarkVersion: "2026.3.26",
+		minOpenclawVersion: "2026.3.22"
+	},
+	{
+		openclawLarkVersion: "2026.3.25",
+		minOpenclawVersion: "2026.3.22"
+	},
+	{
+		openclawLarkVersion: "2026.3.24",
+		minOpenclawVersion: "2026.3.22"
+	},
+	{
+		openclawLarkVersion: "2026.3.18",
+		minOpenclawVersion: "2026.2.26",
+		maxOpenclawVersion: "2026.3.13"
+	},
+	{
+		openclawLarkVersion: "2026.3.17",
+		minOpenclawVersion: "2026.2.26",
+		maxOpenclawVersion: "2026.3.13"
+	},
+	{
+		openclawLarkVersion: "2026.3.15",
+		minOpenclawVersion: "2026.2.26",
+		maxOpenclawVersion: "2026.3.13"
+	},
+	{
+		openclawLarkVersion: "2026.3.12",
+		minOpenclawVersion: "2026.2.26",
+		maxOpenclawVersion: "2026.3.13"
+	},
+	{
+		openclawLarkVersion: "2026.3.10",
+		minOpenclawVersion: "2026.2.26",
+		maxOpenclawVersion: "2026.3.13"
+	},
+	{
+		openclawLarkVersion: "2026.3.9",
+		minOpenclawVersion: "2026.2.26",
+		maxOpenclawVersion: "2026.3.13"
+	}
+]);
+/**
+* "YYYY.M.D" 按数值分量比较（宽松解析：缺失/非数字段视为 0，suffix 如 "-rc.1" 被忽略）。
+* 不能用字符串比较 —— '2026.3.18' < '2026.3.9' 字符串语义为 true。
+*/
+function compareCalVer(a, b) {
+	const pa = parseCalVer(a);
+	const pb = parseCalVer(b);
+	for (let i = 0; i < 3; i++) {
+		if (pa[i] < pb[i]) return -1;
+		if (pa[i] > pb[i]) return 1;
+	}
+	return 0;
+}
+function parseCalVer(v) {
+	const parts = v.split(".");
+	return [
+		toNum(parts[0]),
+		toNum(parts[1]),
+		toNum(parts[2])
+	];
+}
+function toNum(s) {
+	const n = s != null ? parseInt(s, 10) : 0;
+	return Number.isFinite(n) && n >= 0 ? n : 0;
+}
+/** Whether the given openclaw version falls inside this plugin entry's compat range. */
+function compatible(entry, openclawVersion) {
+	if (compareCalVer(openclawVersion, entry.minOpenclawVersion) < 0) return false;
+	if (entry.maxOpenclawVersion != null && compareCalVer(openclawVersion, entry.maxOpenclawVersion) > 0) return false;
+	return true;
+}
+/** Look up an entry by exact plugin version; undefined if not in the table. */
+function findEntry(pluginVersion) {
+	return VERSION_COMPAT_MAP.find((e) => e.openclawLarkVersion === pluginVersion);
+}
+//#endregion
+//#region src/rules/feishu-plugin-version-compat.ts
+const PLUGIN_NAME = "openclaw-lark";
+const LEGACY_SHORT_NAMES = ["feishu-openclaw-plugin"];
+const FORK_SCOPES = ["@lark-apaas"];
+/**
+* 飞书插件 ↔ openclaw 版本兼容检测。
+*
+* 检测顺序（短路）：
+*   1. fork 魔改版（@lark-apaas scope）→ pass，不查版本
+*   2. legacy 老插件（feishu-openclaw-plugin 短名）→ 走升级流程
+*   3. 官方版（@larksuite scope 或其他）→ 按 VERSION_COMPAT_MAP 校验
+*
+* 决策方向：oc < 推荐 → upgrade_openclaw；oc ≥ 推荐 → upgrade_lark。
+*
+* `repairMode: user-confirm` —— 失败结果进 failedRules.userConfirm；CLI 不
+* 自动执行升级，由消费方弹用户确认后调对应升级接口。
+*/
+let FeishuPluginVersionCompatRule = class FeishuPluginVersionCompatRule extends DiagnoseRule {
+	validate(ctx) {
+		const recommendedOc = ctx.vars.recommendedOpenclawTag;
+		if (!recommendedOc) {
+			console.error("[feishu_plugin_version_compat] vars.recommendedOpenclawTag 未注入，跳过本规则");
+			return { pass: true };
+		}
+		const ocCur = readOpenclawRuntimeVersion();
+		if (!ocCur) return { pass: true };
+		const installed = detectInstalledPlugin(ctx);
+		if (installed == null) return { pass: true };
+		if (isForkPlugin(installed)) return { pass: true };
+		const isLegacy = isLegacyPlugin(installed);
+		if (!isLegacy && isVersionCompatible(installed, ocCur)) return { pass: true };
+		return decideUpgrade({
+			ocCur,
+			recommendedOc,
+			installed,
+			isLegacy
+		});
+	}
+};
+FeishuPluginVersionCompatRule = __decorate([Rule({
+	key: "feishu_plugin_version_compat",
+	dependsOn: ["config_syntax_check"],
+	repairMode: "user-confirm",
+	usesVars: ["recommendedOpenclawTag"]
+})], FeishuPluginVersionCompatRule);
+function isForkPlugin(p) {
+	return p.scope != null && FORK_SCOPES.includes(p.scope);
+}
+function isLegacyPlugin(p) {
+	return LEGACY_SHORT_NAMES.includes(p.allowName);
+}
+/** 装了但版本读不到、版本不在表里、或不在 entry 区间内，都视为不兼容。 */
+function isVersionCompatible(p, ocCur) {
+	if (!p.version) return false;
+	const entry = findEntry(p.version);
+	return entry != null && compatible(entry, ocCur);
+}
+function decideUpgrade(args) {
+	const { ocCur, recommendedOc, installed, isLegacy } = args;
+	const desc = describePlugin(installed);
+	const prefix = isLegacy ? `检测到老飞书插件 (${desc})` : `飞书插件 ${desc} 与 openclaw@${ocCur} 不兼容`;
+	if (compareCalVer(ocCur, recommendedOc) < 0) return {
+		pass: false,
+		action: "upgrade_openclaw",
+		message: `${prefix}；将 openclaw 升级到 ${recommendedOc}，飞书插件会随之同步升级`
+	};
+	return {
+		pass: false,
+		action: "upgrade_lark",
+		message: `${prefix}；当前 openclaw@${ocCur} 已达推荐版本，可直接升级飞书插件`
+	};
+}
+function describePlugin(p) {
+	return (p.fullName ?? p.allowName) + (p.version ? `@${p.version}` : "");
+}
+function readPluginPackageJson(filePath) {
+	try {
+		if (!node_fs.default.existsSync(filePath)) return null;
+		const raw = node_fs.default.readFileSync(filePath, "utf-8");
+		const parsed = JSON.parse(raw);
+		return {
+			name: typeof parsed.name === "string" ? parsed.name : void 0,
+			version: typeof parsed.version === "string" ? parsed.version : void 0
+		};
+	} catch {
+		return null;
+	}
+}
+/** "已装" = plugins.allow 含名 AND extensions/<name>/package.json 真实存在。 */
+function detectInstalledPlugin(ctx) {
+	const allowRaw = asRecord(ctx.config.plugins)?.allow;
+	const allow = Array.isArray(allowRaw) ? allowRaw.filter((e) => typeof e === "string") : [];
+	const extDir = getExtensionsDir(ctx.configPath);
+	const installs = getNestedMap(ctx.config, "plugins", "installs");
+	for (const name of [PLUGIN_NAME, ...LEGACY_SHORT_NAMES]) {
+		if (!allow.includes(name)) continue;
+		const pkgPath = node_path.default.join(extDir, name, "package.json");
+		if (!node_fs.default.existsSync(pkgPath)) continue;
+		const pkg = readPluginPackageJson(pkgPath) ?? {};
+		const installEntry = installs && asRecord(installs[name]);
+		const fullName = pkg.name ?? extractScopedNameFromSpec(installEntry?.spec);
+		return {
+			allowName: name,
+			fullName,
+			scope: fullName?.startsWith("@") ? fullName.split("/")[0] : void 0,
+			version: pkg.version ?? (typeof installEntry?.version === "string" ? installEntry.version : void 0)
+		};
+	}
+	return null;
+}
+/** "@scope/name@1.2.3" / "name@1.2.3" / "@scope/name" / "name" → 去掉 @version 后缀 */
+function extractScopedNameFromSpec(spec) {
+	if (typeof spec !== "string") return void 0;
+	const at = spec.indexOf("@", 1);
+	return at === -1 ? spec : spec.slice(0, at);
+}
+//#endregion
+//#region src/check.ts
+/** Telemetry-aware entry: returns both the legacy CheckResult (for stdout)
+*  AND a DoctorReport-shape payload (for `openclaw.report_cli_run`). The
+*  two views are computed from the same single rule-loop pass. */
+function runCheckWithReport(input) {
+	return runCheckImpl(input);
+}
+function runCheckImpl(input) {
+	const tStart = Date.now();
+	const result = { failedRules: {
+		standard: [],
+		ai: [],
+		reset: [],
+		userConfirm: []
+	} };
+	const outcomes = [];
+	const disabledSet = new Set(input.disabledRules || []);
+	const rules = getAllRules();
+	const failedKeys = /* @__PURE__ */ new Set();
+	let configParsed = false;
+	let aborted = false;
+	console.error(`runCheck: begin configPath=${input.configPath} disabledRules=[${[...disabledSet].join(",")}] rules=${rules.length}`);
+	let ctx = {
+		config: {},
+		configPath: input.configPath,
+		vars: input.vars,
+		providerDeps: {
+			usesMiaodaProvider: false,
+			usesMiaodaSecretProvider: false
+		}
+	};
+	for (const rule of rules) {
+		const meta = rule.meta;
+		if (disabledSet.has(meta.key)) {
+			console.error(`rule ${meta.key}: skipped reason=disabledRules`);
+			outcomes.push({
+				rule: meta.key,
+				status: "skipped",
+				message: "disabledRules"
+			});
+			continue;
+		}
+		if (meta.dependsOn?.some((dep) => failedKeys.has(dep))) {
+			const blockers = meta.dependsOn?.filter((d) => failedKeys.has(d)).join(",");
+			console.error(`rule ${meta.key}: skipped reason=dependsOn-failed blockers=${blockers}`);
+			outcomes.push({
+				rule: meta.key,
+				status: "skipped",
+				message: `dependsOn failed: ${blockers}`
+			});
+			continue;
+		}
+		if (meta.dependsOn?.includes("config_syntax_check") && !configParsed) try {
+			const parsed = loadJSON5().parse(readFile(input.configPath));
+			const deps = analyzeProviderDeps(parsed);
+			ctx = {
+				config: parsed,
+				configPath: input.configPath,
+				vars: input.vars,
+				providerDeps: deps
+			};
+			configParsed = true;
+		} catch (e) {
+			console.error(`runCheck: config parse failed at ${meta.key} message=${e.message}`);
+			outcomes.push({
+				rule: meta.key,
+				status: "error",
+				message: "config parse failed: " + e.message
+			});
+			aborted = true;
+			break;
+		}
+		if (meta.skipWhen && configParsed) {
+			const hasMiaoda = shouldCheckMiaodaRules(ctx.config);
+			if (meta.skipWhen({
+				hasMiaoda,
+				deps: ctx.providerDeps
+			})) {
+				console.error(`rule ${meta.key}: skipped reason=skipWhen`);
+				outcomes.push({
+					rule: meta.key,
+					status: "skipped",
+					message: "skipWhen"
+				});
+				continue;
+			}
+		}
+		const t = Date.now();
+		let r;
+		try {
+			r = rule.validate(ctx);
+		} catch (e) {
+			const msg = e.message;
+			console.error(`rule ${meta.key}: validate -> error durationMs=${Date.now() - t} message=${msg}`);
+			outcomes.push({
+				rule: meta.key,
+				status: "error",
+				message: "validate threw: " + msg
+			});
+			failedKeys.add(meta.key);
+			continue;
+		}
+		if (r.pass) {
+			console.error(`rule ${meta.key}: validate -> pass durationMs=${Date.now() - t}`);
+			outcomes.push({
+				rule: meta.key,
+				status: "pass"
+			});
+		} else {
+			console.error(`rule ${meta.key}: validate -> failed durationMs=${Date.now() - t} message=${r.message ?? ""}`);
+			outcomes.push({
+				rule: meta.key,
+				status: "failed",
+				message: r.message,
+				action: r.action
+			});
+			failedKeys.add(meta.key);
+			pushFailedRule(result, meta.repairMode, meta.key, r.message || "", r.action);
+		}
+	}
+	console.error(`runCheck: end totalMs=${Date.now() - tStart} failed={standard:${result.failedRules.standard.length},ai:${result.failedRules.ai.length},reset:${result.failedRules.reset.length}}`);
+	return {
+		legacy: result,
+		report: finalize$2(outcomes, aborted)
+	};
+}
+function pushFailedRule(result, repairMode, key, detail, action) {
+	switch (repairMode) {
+		case "standard":
+			result.failedRules.standard.push(key);
+			break;
+		case "ai":
+			result.failedRules.ai.push({
+				rule_name: key,
+				detail
+			});
+			break;
+		case "reset":
+			result.failedRules.reset.push({
+				rule_name: key,
+				detail
+			});
+			break;
+		case "user-confirm":
+			result.failedRules.userConfirm.push({
+				rule_name: key,
+				detail,
+				action
+			});
+			break;
+	}
+}
+function finalize$2(results, aborted) {
+	const summary = {
+		pass: 0,
+		failed: 0,
+		fixed: 0,
+		stillBroken: 0,
+		skipped: 0,
+		error: 0,
+		unknown: 0
+	};
+	for (const r of results) switch (r.status) {
+		case "pass":
+			summary.pass++;
+			break;
+		case "failed":
+			summary.failed++;
+			break;
+		case "fixed":
+			summary.fixed++;
+			break;
+		case "still-broken":
+			summary.stillBroken++;
+			break;
+		case "skipped":
+			summary.skipped++;
+			break;
+		case "error":
+			summary.error++;
+			break;
+		case "unknown":
+			summary.unknown++;
+			break;
+	}
+	return {
+		results,
+		summary,
+		aborted
+	};
+}
+//#endregion
+//#region src/repair.ts
+/** Telemetry-aware entry. Same per-rule pass + side effects, but also
+*  builds a `DoctorReport`-shape payload from per-rule revalidate
+*  outcomes (`fixed` / `still-broken` / `error`) so `report_cli_run`
+*  carries the same shape doctor produces. */
+function runRepairWithReport(input) {
+	return runRepairImpl(input);
+}
+function runRepairImpl(input) {
+	const tStart = Date.now();
+	console.error(`runRepair: begin configPath=${input.configPath} failedRules=[${(input.failedRules ?? []).join(",")}]`);
+	const outcomes = [];
+	let aborted = false;
+	let legacy = { success: true };
+	try {
+		const failedSet = new Set(input.failedRules || []);
+		const repairData = input.repairData || {};
+		const rules = getAllRules();
+		const phase1Ctx = {
+			config: {},
+			configPath: input.configPath,
+			vars: input.vars,
+			providerDeps: {
+				usesMiaodaProvider: false,
+				usesMiaodaSecretProvider: false
+			}
+		};
+		for (const rule of rules) {
+			if (!failedSet.has(rule.meta.key)) continue;
+			if (rule.meta.repairMode !== "standard") continue;
+			if (rule.meta.dependsOn?.includes("config_syntax_check")) continue;
+			const tRepair = Date.now();
+			try {
+				rule.repair(phase1Ctx);
+			} catch (e) {
+				const msg = e.message;
+				console.error(`rule ${rule.meta.key}: repair (phase1) -> error durationMs=${Date.now() - tRepair} message=${msg}`);
+				outcomes.push({
+					rule: rule.meta.key,
+					status: "error",
+					message: "repair threw: " + msg
+				});
+				aborted = true;
+				continue;
+			}
+			console.error(`rule ${rule.meta.key}: repair (phase1) -> ok durationMs=${Date.now() - tRepair}`);
+			const tRev = Date.now();
+			try {
+				const v = rule.validate(phase1Ctx);
+				if (v.pass) {
+					console.error(`rule ${rule.meta.key}: revalidate (phase1) -> pass (fixed) durationMs=${Date.now() - tRev}`);
+					outcomes.push({
+						rule: rule.meta.key,
+						status: "fixed"
+					});
+				} else {
+					console.error(`rule ${rule.meta.key}: revalidate (phase1) -> still-broken durationMs=${Date.now() - tRev} after=${v.message ?? ""}`);
+					outcomes.push({
+						rule: rule.meta.key,
+						status: "still-broken",
+						after: v.message
+					});
+				}
+			} catch (e) {
+				const msg = e.message;
+				console.error(`rule ${rule.meta.key}: revalidate (phase1) -> error durationMs=${Date.now() - tRev} message=${msg}`);
+				outcomes.push({
+					rule: rule.meta.key,
+					status: "error",
+					message: "post-repair validate threw: " + msg
+				});
+				aborted = true;
+			}
+		}
+		const JSON5 = loadJSON5();
+		let config;
+		try {
+			config = JSON5.parse(readFile(input.configPath));
+		} catch (e) {
+			const msg = e.message;
+			console.error(`runRepair: config parse failed message=${msg}`);
+			outcomes.push({
+				rule: "config_syntax_check",
+				status: "error",
+				message: "config parse failed: " + msg
+			});
+			legacy = {
+				success: false,
+				error: "cannot parse config for repair: " + msg
+			};
+			return {
+				legacy,
+				report: finalize$1(outcomes, true)
+			};
+		}
+		const deps = analyzeProviderDeps(config);
+		const ctx = {
+			config,
+			configPath: input.configPath,
+			vars: input.vars,
+			providerDeps: deps
+		};
+		let configDirty = false;
+		for (const rule of rules) {
+			if (!failedSet.has(rule.meta.key)) continue;
+			if (rule.meta.repairMode !== "standard") continue;
+			if (!rule.meta.dependsOn?.includes("config_syntax_check")) continue;
+			const tRepair = Date.now();
+			try {
+				rule.repair(ctx);
+			} catch (e) {
+				const msg = e.message;
+				console.error(`rule ${rule.meta.key}: repair (phase2) -> error durationMs=${Date.now() - tRepair} message=${msg}`);
+				outcomes.push({
+					rule: rule.meta.key,
+					status: "error",
+					message: "repair threw: " + msg
+				});
+				aborted = true;
+				continue;
+			}
+			console.error(`rule ${rule.meta.key}: repair (phase2) -> ok durationMs=${Date.now() - tRepair}`);
+			configDirty = true;
+			const tRev = Date.now();
+			try {
+				const v = rule.validate(ctx);
+				if (v.pass) {
+					console.error(`rule ${rule.meta.key}: revalidate (phase2) -> pass (fixed) durationMs=${Date.now() - tRev}`);
+					outcomes.push({
+						rule: rule.meta.key,
+						status: "fixed"
+					});
+				} else {
+					console.error(`rule ${rule.meta.key}: revalidate (phase2) -> still-broken durationMs=${Date.now() - tRev} after=${v.message ?? ""}`);
+					outcomes.push({
+						rule: rule.meta.key,
+						status: "still-broken",
+						after: v.message
+					});
+				}
+			} catch (e) {
+				const msg = e.message;
+				console.error(`rule ${rule.meta.key}: revalidate (phase2) -> error durationMs=${Date.now() - tRev} message=${msg}`);
+				outcomes.push({
+					rule: rule.meta.key,
+					status: "error",
+					message: "post-repair validate threw: " + msg
+				});
+				aborted = true;
+			}
+		}
+		if (configDirty) {
+			backupConfigSync(input.configPath);
+			const serialized = JSON.stringify(config, null, 2);
+			writeFile(input.configPath, serialized);
+			console.error(`runRepair: config writeback ok path=${input.configPath} bytes=${serialized.length}`);
+		}
+		if (repairData.secretsContent && input.vars.secretsFilePath) {
+			writeFile(input.vars.secretsFilePath, repairData.secretsContent);
+			console.error(`runRepair: secrets writeback ok path=${input.vars.secretsFilePath} bytes=${repairData.secretsContent.length}`);
+		}
+		if (repairData.providerKeyContent && input.vars.providerFilePath) {
+			writeFile(input.vars.providerFilePath, repairData.providerKeyContent);
+			console.error(`runRepair: provider key writeback ok path=${input.vars.providerFilePath} bytes=${repairData.providerKeyContent.length}`);
+		}
+		if (repairData.restartCommand) {
+			const t = Date.now();
+			try {
+				console.error(`runRepair: restart begin cmd=${JSON.stringify(repairData.restartCommand)}`);
+				shell(repairData.restartCommand, 3e4);
+				console.error(`runRepair: restart ok durationMs=${Date.now() - t}`);
+			} catch (e) {
+				const msg = e.message;
+				console.error(`runRepair: restart failed durationMs=${Date.now() - t} message=${msg}`);
+				legacy = {
+					success: false,
+					error: "restart command failed: " + msg
+				};
+				return {
+					legacy,
+					report: finalize$1(outcomes, true)
+				};
+			}
+		}
+		console.error(`runRepair: end success=true totalMs=${Date.now() - tStart}`);
+		legacy = { success: true };
+		return {
+			legacy,
+			report: finalize$1(outcomes, aborted)
+		};
+	} catch (e) {
+		const msg = e.message;
+		console.error(`runRepair: end success=false totalMs=${Date.now() - tStart} message=${msg}`);
+		legacy = {
+			success: false,
+			error: "repair failed: " + msg
+		};
+		return {
+			legacy,
+			report: finalize$1(outcomes, true)
+		};
+	}
+}
+function finalize$1(results, aborted) {
+	const summary = {
+		pass: 0,
+		failed: 0,
+		fixed: 0,
+		stillBroken: 0,
+		skipped: 0,
+		error: 0,
+		unknown: 0
+	};
+	for (const r of results) switch (r.status) {
+		case "pass":
+			summary.pass++;
+			break;
+		case "failed":
+			summary.failed++;
+			break;
+		case "fixed":
+			summary.fixed++;
+			break;
+		case "still-broken":
+			summary.stillBroken++;
+			break;
+		case "skipped":
+			summary.skipped++;
+			break;
+		case "error":
+			summary.error++;
+			break;
+		case "unknown":
+			summary.unknown++;
+			break;
+	}
+	return {
+		results,
+		summary,
+		aborted
+	};
+}
+//#endregion
+//#region src/paths.ts
+/**
+* Central directory for all ephemeral diagnose/reset artifacts: task status
+* files (`reset-<taskId>.json`) and human-readable step logs
+* (`reset-<taskId>.log`). Having everything under one dir makes debugging a
+* stuck reset much easier — `ls /tmp/openclaw-diagnose/` shows every recent
+* run, and each run's log is right next to its state.
+*/
+const DIAGNOSE_DIR = "/tmp/openclaw-diagnose";
+function resetResultFile(taskId) {
+	return `${DIAGNOSE_DIR}/reset-${taskId}.json`;
+}
+function resetLogFile(taskId) {
+	return `${DIAGNOSE_DIR}/reset-${taskId}.log`;
+}
+/** Sandbox workspace root where openclaw config + agent state lives. */
+const WORKSPACE_DIR = "/home/gem/workspace/agent";
+/** File containing the provider key used by the openclaw miaoda provider. */
+const PROVIDER_FILE_PATH = "/home/gem/workspace/.force/openclaw/miaoda-provider-key";
+/** File containing the miaoda openclaw secrets JSON. */
+const SECRETS_FILE_PATH = "/home/gem/workspace/.force/openclaw/miaoda-openclaw-secrets.json";
+/** Absolute path to the openclaw config JSON. */
+const CONFIG_PATH = `${WORKSPACE_DIR}/openclaw.json`;
+//#endregion
+//#region src/run-log.ts
+let currentRunContext;
+/**
+* Install the run context for this CLI execution. Must be called once at
+* the top of `main()` before any subcommand work; idempotent (last call
+* wins, but `main` only calls it once).
+*
+* Resolution order for `runId`:
+*   1. `OPENCLAW_RUN_ID` env var — set by a parent CLI process (e.g. the
+*      `reset --async` dispatcher exports it before spawning the worker)
+*      so cli.log lines for both processes carry the same `[run=...]`
+*      tag. Any non-empty value is honoured verbatim.
+*   2. `--trace-id=<id>` flag — caller-supplied upstream trace id.
+*   3. Generated locally as `gen-<8 hex>`.
+*
+* Safe to call without any input — runId falls through to the generated
+* branch and both metadata fields stay undefined.
+*/
+function setRunContext(opts) {
+	const inherited = process.env.OPENCLAW_RUN_ID;
+	if (inherited && inherited !== "") currentRunContext = {
+		runId: inherited,
+		caller: opts.caller,
+		traceId: opts.traceId,
+		generated: false
+	};
+	else if (opts.traceId) currentRunContext = {
+		runId: opts.traceId,
+		caller: opts.caller,
+		traceId: opts.traceId,
+		generated: false
+	};
+	else currentRunContext = {
+		runId: "gen-" + (0, node_crypto.randomBytes)(4).toString("hex"),
+		caller: opts.caller,
+		traceId: void 0,
+		generated: true
+	};
+	return currentRunContext;
+}
+function getRunContext() {
+	return currentRunContext;
+}
+/**
+* Format the run-scope tag the stderr mirror injects into cli.log lines.
+* Empty string when no context is set (mirror falls back to plain
+* timestamped lines, preserving pre-context startup logging).
+*/
+function runTag(rc = currentRunContext) {
+	if (!rc) return "";
+	const parts = [`run=${rc.runId}`];
+	if (rc.caller) parts.push(`caller=${rc.caller}`);
+	return `[${parts.join(" ")}]`;
+}
+//#endregion
+//#region src/logger.ts
+/**
+* Shared CLI log file. Every log line the CLI emits — whether through
+* `console.error` (rules, helpers, errors) or through the per-task
+* `makeLogger` (reset worker) — is tee'd here so operators have a single
+* file to tail when diagnosing a sandbox.
+*
+* `/tmp` is ephemeral on sandbox restart; we rely on that for rotation
+* (no size-based rotation implemented).
+*/
+const CLI_LOG_FILE = "/tmp/openclaw-diagnose/cli.log";
+/** Append one line to the shared cli.log. Swallows any fs error —
+*  logging must never break the business flow. */
+function appendCliLog(line) {
+	try {
+		const dir = node_path.default.dirname(CLI_LOG_FILE);
+		if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
+		node_fs.default.appendFileSync(CLI_LOG_FILE, line);
+	} catch {}
+}
+let stderrMirrorInstalled = false;
+/**
+* Install a process-wide `console.error` interceptor. Always tees each
+* line to cli.log; the stderr passthrough is opt-in via `stderrEnabled`.
+*
+* Default (`stderrEnabled: false`): the terminal sees ONLY this command's
+* stdout (typically a single JSON result line). Lifecycle / progress /
+* error logs are fully captured in `/tmp/openclaw-diagnose/cli.log`,
+* which is the canonical debugging surface and already carries
+* timestamps and `[run=...]` tags.
+*
+* Verbose (`stderrEnabled: true`, opt in with the top-level `-x` flag):
+* lifecycle logs also stream to stderr in real time. Useful when
+* iterating on a single sandbox.
+*
+* Idempotent: calling twice is a no-op (first install wins). Tests that
+* need to swap mode should call `resetStderrMirrorForTests()` first.
+*
+* Why console.error (and not console.log): the CLI's stdout carries the
+* structured JSON result protocol consumed by sandbox_console and other
+* callers — any log line on stdout would corrupt JSON parsing.
+*/
+function installStderrMirror(opts = {}) {
+	if (stderrMirrorInstalled) return;
+	stderrMirrorInstalled = true;
+	const stderrEnabled = opts.stderrEnabled ?? false;
+	const original = console.error.bind(console);
+	console.error = (...args) => {
+		if (stderrEnabled) original(...args);
+		const body = args.map((a) => typeof a === "string" ? a : safeStringify(a)).join(" ");
+		const tag = runTag();
+		appendCliLog(`[${(/* @__PURE__ */ new Date()).toISOString()}]${tag ? ` ${tag}` : ""} ${body}\n`);
+	};
+}
+function safeStringify(v) {
+	try {
+		return JSON.stringify(v);
+	} catch {
+		return String(v);
+	}
+}
+function makeLogger(logFile) {
+	try {
+		const dir = node_path.default.dirname(logFile);
+		if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
+	} catch {}
+	return (msg) => {
+		const tag = runTag();
+		const line = `[${(/* @__PURE__ */ new Date()).toISOString()}]${tag ? ` ${tag}` : ""} ${msg}\n`;
+		try {
+			node_fs.default.appendFileSync(logFile, line);
+		} catch {}
+		appendCliLog(line);
+	};
+}
+//#endregion
 //#region src/reset-async.ts
 /**
 * Start an async reset task: spawn a detached child process and return the taskId.
@@ -1769,6 +2652,9 @@ function startAsyncReset(ctxBase64) {
 	if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
 	node_fs.default.writeFileSync(tmpPath, JSON.stringify(initial), "utf-8");
 	moveSafe(tmpPath, resultFile);
+	const rc = getRunContext();
+	const childEnv = { ...process.env };
+	if (rc?.runId) childEnv.OPENCLAW_RUN_ID = rc.runId;
 	const child = (0, node_child_process.spawn)(process.execPath, [
 		process.argv[1],
 		"reset",
@@ -1777,7 +2663,8 @@ function startAsyncReset(ctxBase64) {
 		`--ctx=${ctxBase64}`
 	], {
 		detached: true,
-		stdio: "ignore"
+		stdio: "ignore",
+		env: childEnv
 	});
 	child.on("error", (err) => {
 		log(`FATAL worker failed to start: ${err.message}`);
@@ -1799,6 +2686,121 @@ function startAsyncReset(ctxBase64) {
 	return { taskId };
 }
 //#endregion
+//#region src/oss/fetchWithDiag.ts
+/** Methods retried automatically on transient transport errors. POST and
+*  PATCH are deliberately excluded: a transient ECONNRESET / ETIMEDOUT
+*  after the request body has been written might mean the server
+*  received and processed it (just couldn't reply) — auto-retrying
+*  would cause duplicate side effects. AWS / GCP / Aliyun SDKs all use
+*  the same allowlist. */
+const IDEMPOTENT_METHODS = new Set([
+	"GET",
+	"HEAD",
+	"OPTIONS",
+	"DELETE",
+	"PUT"
+]);
+/** Errno codes treated as transient — almost always a stale connection
+*  or momentary network blip that succeeds on retry. The list mirrors
+*  what AWS / GCP / Aliyun SDKs retry by default. Only used for fetch
+*  rejection cause; HTTP 4xx/5xx responses pass through unchanged
+*  (caller decides whether the application-level status is retryable). */
+const TRANSIENT_CODES = new Set([
+	"ECONNRESET",
+	"ETIMEDOUT",
+	"EPIPE",
+	"ECONNREFUSED",
+	"EHOSTUNREACH",
+	"ENETUNREACH",
+	"EAI_AGAIN"
+]);
+async function fetchWithDiag(url, opts = {}) {
+	const maxRetries = opts.maxRetries ?? 2;
+	const method = (opts.init?.method ?? "GET").toUpperCase();
+	const retrySafe = opts.retryNonIdempotent || IDEMPOTENT_METHODS.has(method);
+	let lastErr;
+	for (let attempt = 0; attempt <= maxRetries; attempt++) try {
+		return await fetchOnce(url, opts);
+	} catch (e) {
+		lastErr = e;
+		const code = extractCauseCode(e);
+		if (!(code !== void 0 && TRANSIENT_CODES.has(code)) || attempt === maxRetries) throw e;
+		if (!retrySafe) {
+			console.error(`fetch ${opts.label ?? originOf(url)}: transient ${code} but method=${method} is non-idempotent, NOT retrying`);
+			throw e;
+		}
+		const delay = 200 * Math.pow(2, attempt) + Math.floor(Math.random() * 100);
+		console.error(`fetch ${opts.label ?? originOf(url)}: transient ${code}, retrying in ${delay}ms (attempt ${attempt + 1}/${maxRetries})`);
+		await new Promise((r) => setTimeout(r, delay));
+	}
+	throw lastErr;
+}
+/** One fetch attempt with timeout. Throws on transport / abort failures
+*  (caught by the retry loop above) and on its own enriched message form. */
+async function fetchOnce(url, opts) {
+	const label = opts.label ?? originOf(url);
+	const timeoutMs = opts.timeoutMs ?? 3e4;
+	const start = Date.now();
+	const ac = new AbortController();
+	const timer = timeoutMs > 0 && Number.isFinite(timeoutMs) ? setTimeout(() => ac.abort(), timeoutMs) : void 0;
+	try {
+		return await fetch(url, {
+			...opts.init,
+			signal: ac.signal
+		});
+	} catch (e) {
+		const durationMs = Date.now() - start;
+		const causeStr = e.name === "AbortError" || ac.signal.aborted && timeoutMs > 0 ? `request aborted after ${timeoutMs}ms (timeout)` : describeCause(e.cause) || e.message;
+		const enriched = /* @__PURE__ */ new Error(`fetch ${label} failed: ${causeStr} (url=${redactUrl(url)} durationMs=${durationMs})`);
+		enriched.cause = e.cause ?? e;
+		throw enriched;
+	} finally {
+		if (timer) clearTimeout(timer);
+	}
+}
+/** Pull the errno-style code from the deepest cause we can reach. Used by
+*  retry-classification only — error messages still get the human-readable
+*  describeCause() rendering. */
+function extractCauseCode(e) {
+	let cur = e.cause ?? e;
+	for (let depth = 0; depth < 5 && cur; depth++) {
+		const code = cur.code;
+		if (typeof code === "string") return code;
+		cur = cur.cause;
+	}
+}
+/** Walk the Error.cause chain and produce a single-line summary like
+*  `ENOTFOUND getaddrinfo ENOTFOUND oss.example.com`. */
+function describeCause(c, depth = 0) {
+	if (!c || depth > 3) return "";
+	if (c instanceof Error) {
+		const code = c.code;
+		const head = code ? `${code} ${c.message}` : c.message;
+		const inner = describeCause(c.cause, depth + 1);
+		return inner ? `${head} <- ${inner}` : head;
+	}
+	return String(c);
+}
+/** Strip query string — OSS signed URLs put the auth token there. Keeps
+*  protocol/host/path so the operator can tell *which* OSS bucket / object
+*  was being fetched. */
+function redactUrl(raw) {
+	try {
+		const u = new URL(raw);
+		const tail = u.search ? "?<redacted>" : "";
+		return `${u.protocol}//${u.host}${u.pathname}${tail}`;
+	} catch {
+		return "<invalid-url>";
+	}
+}
+function originOf(raw) {
+	try {
+		return new URL(raw).host;
+	} catch {
+		return "unknown-host";
+	}
+}
+//#endregion
 //#region src/oss/fetchManifest.ts
 const MANIFEST_PREFIX = "builtin/manifests/openclaw/recommended/";
 const MANIFEST_SUFFIX = ".json";
@@ -1810,9 +2812,23 @@ async function fetchManifest(ossFileMap, tag) {
 		const availStr = available.length ? available.join(", ") : "(none)";
 		throw new Error(`manifest signed URL missing for tag "${tag}" (key ${key}). Available tags in ossFileMap: ${availStr}. Either pass an available tag or update the studio_server TCC openclaw_upgrade_config supported_versions.`);
 	}
-	const res = await fetch(url);
-	if (!res.ok) throw new Error(`fetch manifest failed: HTTP ${res.status} ${res.statusText}`);
-	return await res.json();
+	const label = `openclaw manifest tag=${tag}`;
+	const res = await fetchWithDiag(url, { label });
+	if (!res.ok) {
+		const body = await readPreview(res);
+		throw new Error(`${label}: HTTP ${res.status} ${res.statusText}` + (body ? ` body=${body}` : ""));
+	}
+	return await res.json();
+}
+/** Best-effort body preview for HTTP-error diagnostics. OSS errors are
+*  XML; first 256 chars usually contain the <Code> + <Message> we care
+*  about. Failures here are swallowed (logging-only, not load-bearing). */
+async function readPreview(res) {
+	try {
+		return (await res.text()).slice(0, 256);
+	} catch {
+		return "";
+	}
 }
 async function downloadWithCache(pkg, ossFileMap, opts = {}) {
 	const cacheRoot = opts.cacheRoot ?? "/tmp/openclaw-diagnose/resources";
@@ -1827,9 +2843,19 @@ async function downloadWithCache(pkg, ossFileMap, opts = {}) {
 	const expected = pkg.integrity.slice(7);
 	const tmpFile = node_path.default.join(destDir, `.tmp.${process.pid}.${node_crypto.default.randomBytes(4).toString("hex")}`);
 	try {
-		const res = await fetch(url);
-		if (!res.ok) throw new Error(`download failed: HTTP ${res.status}`);
-		if (!res.body) throw new Error(`download failed: empty body for ${pkg.ossKey}`);
+		const label = `download ${pkg.ossKey}`;
+		const res = await fetchWithDiag(url, {
+			label,
+			timeoutMs: 6e4
+		});
+		if (!res.ok) {
+			let preview = "";
+			try {
+				preview = (await res.text()).slice(0, 256);
+			} catch {}
+			throw new Error(`${label}: HTTP ${res.status} ${res.statusText}` + (preview ? ` body=${preview}` : ""));
+		}
+		if (!res.body) throw new Error(`${label}: empty body`);
 		const hasher = node_crypto.default.createHash("sha512");
 		const source = node_stream.Readable.fromWeb(res.body);
 		async function* teeAndHash(src) {
@@ -2354,16 +3380,6 @@ function writeSecretsAndRestart(vars, resetData, configDir, log) {
 		log(`restart.sh done in ${Date.now() - t}ms`);
 	} else log(`no restart.sh at ${restartScript}, skip`);
 }
-/**
-* Run the 9-step reset process. Called from the worker entry point.
-*
-* Each step is an independent function. The orchestrator handles progress
-* reporting, error handling, and process-level exception guards.
-*
-* Template assets (openclaw.json + scripts/) are downloaded from OSS into a
-* scratch dir via `stageTemplate` before step 1 — there is no bundled
-* `template/` directory at runtime any more.
-*/
 async function runReset(input, taskId, resultFile) {
 	const startedAt = (/* @__PURE__ */ new Date()).toISOString();
 	const { configPath, vars, resetData } = input;
@@ -2371,6 +3387,7 @@ async function runReset(input, taskId, resultFile) {
 	const stagedDir = node_path.default.join(DIAGNOSE_DIR, `reset-${taskId}-template`);
 	let currentStep = 0;
 	let stepStartedAt = Date.now();
+	const stepResults = [];
 	const log = makeLogger(resetLogFile(taskId));
 	log(`=== reset started, taskId=${taskId}, pid=${process.pid} ===`);
 	log(`configPath=${configPath}, configDir=${configDir}, stagedDir=${stagedDir}`);
@@ -2379,7 +3396,12 @@ async function runReset(input, taskId, resultFile) {
 		const err = "resetData.ossFileMap missing or empty";
 		log(`ERROR: ${err}`);
 		markFailed(resultFile, 0, err, startedAt);
-		process.exit(1);
+		return {
+			success: false,
+			steps: stepResults,
+			error: err,
+			failedStep: 0
+		};
 	}
 	let openclawTag;
 	if (resetData.openclawTag) openclawTag = resetData.openclawTag;
@@ -2389,7 +3411,12 @@ async function runReset(input, taskId, resultFile) {
 		const err = e.message;
 		log(`ERROR: ${err}`);
 		markFailed(resultFile, 0, err, startedAt);
-		process.exit(1);
+		return {
+			success: false,
+			steps: stepResults,
+			error: err,
+			failedStep: 0
+		};
 	}
 	log(`openclawTag=${openclawTag}`);
 	process.on("uncaughtException", (err) => {
@@ -2402,9 +3429,19 @@ async function runReset(input, taskId, resultFile) {
 		markFailed(resultFile, currentStep, `unhandled rejection: ${reason}`, startedAt);
 		process.exit(1);
 	});
-	/** Advance to the next step, updating the progress file and logging a boundary. */
+	/** Advance to the next step, recording the previous step's success
+	*  duration and updating the on-disk progress file. */
 	const step = (n) => {
-		if (currentStep > 0) log(`step ${currentStep} "${STEPS[currentStep - 1]}" done in ${Date.now() - stepStartedAt}ms`);
+		if (currentStep > 0) {
+			const dur = Date.now() - stepStartedAt;
+			log(`step ${currentStep} "${STEPS[currentStep - 1]}" done in ${dur}ms`);
+			stepResults.push({
+				step: currentStep,
+				name: STEPS[currentStep - 1],
+				status: "ok",
+				durationMs: dur
+			});
+		}
 		currentStep = n;
 		stepStartedAt = Date.now();
 		log(`--- step ${n}/${TOTAL_STEPS}: ${STEPS[n - 1]} ---`);
@@ -2430,14 +3467,38 @@ async function runReset(input, taskId, resultFile) {
 		await step8InstallExtensions(openclawTag, ossFileMap, log);
 		step(9);
 		writeSecretsAndRestart(vars, resetData, configDir, log);
-		log(`step 9 "${STEPS[8]}" done in ${Date.now() - stepStartedAt}ms`);
+		const lastDur = Date.now() - stepStartedAt;
+		log(`step 9 "${STEPS[8]}" done in ${lastDur}ms`);
+		stepResults.push({
+			step: 9,
+			name: STEPS[8],
+			status: "ok",
+			durationMs: lastDur
+		});
 		log("=== reset completed successfully ===");
 		markDone(resultFile, startedAt);
+		return {
+			success: true,
+			steps: stepResults
+		};
 	} catch (e) {
 		const err = e.message;
-		log(`ERROR in step ${currentStep} "${STEPS[currentStep - 1] ?? "init"}" after ${Date.now() - stepStartedAt}ms: ${err}\n${e.stack ?? ""}`);
+		const dur = Date.now() - stepStartedAt;
+		log(`ERROR in step ${currentStep} "${STEPS[currentStep - 1] ?? "init"}" after ${dur}ms: ${err}\n${e.stack ?? ""}`);
+		stepResults.push({
+			step: currentStep,
+			name: STEPS[currentStep - 1] ?? "init",
+			status: "fail",
+			durationMs: dur,
+			error: err
+		});
 		markFailed(resultFile, currentStep, err, startedAt);
-		process.exit(1);
+		return {
+			success: false,
+			steps: stepResults,
+			error: err,
+			failedStep: currentStep
+		};
 	} finally {
 		try {
 			node_fs.default.rmSync(stagedDir, {
@@ -2504,38 +3565,24 @@ function resolveOssFileMap(args) {
 	throw new Error("ossFileMap missing: provide --oss_file_map flag, ctx.install.ossFileMap, or resetData.ossFileMap");
 }
 //#endregion
-//#region src/innerapi/fetchCtx.ts
+//#region src/innerapi/client.ts
 /**
-* CLI-side client for studio_server's `openclaw.get_doctor_ctx` inner API.
-*
-* Mirrors the proven pattern in
-* `packages/openclaw/extensions/miaoda/src/shared/innerapi-client.ts`:
+* Shared innerapi HTTP client + path constants for `openclaw.*` calls.
 *
 *   - `baseURL` from env `FORCE_AUTHN_INNERAPI_DOMAIN` (injected into every
 *     openclaw sandbox).
 *   - `platform: { enabled, tokenProvider: { type: 'file' } }` — the platform
 *     plugin auto-attaches the sandbox's identity JWT loaded from the
 *     rootfs token file. Same auth that the miaoda extension already uses.
-*   - POST `/api/v1/studio/innerapi/integration_apis/call`
-*     body = { apiName: 'openclaw.get_doctor_ctx', input: {}, bizType: 'openclaw' }
-*     — the server-side APICall dispatches by `apiName` to
-*     `GetDoctorCtxAPICall.Execute` whose `Name()` returns that string.
-*   - Response envelope: { status_code, error_msg?, data: { success, output, ... } }.
-*     `status_code` is a *string* ('0' = success).
-*     Actual DoctorCtx lives in `data.output`.
-*   - `x-tt-logid` header is logged on every failure path for cross-service
-*     traceability.
-*
-* On HTTP 401 (sandbox identity token expired/invalid) we `process.exit(77)`
-* instead of throwing — the outer catch in `index.ts` cannot then mask auth
-* failure as a generic "Error: ...". Caller (e.g. sandbox_console) sees the
-* exit code and can refresh the token + retry.
+*   - POST `/api/v1/studio/innerapi/integration_apis/call` with body
+*     `{ apiName, bizType, input }` is the universal dispatcher; specific
+*     apiName values (e.g. `openclaw.get_doctor_ctx`,
+*     `openclaw.report_doctor_result`) are owned by individual call-site
+*     modules.
 */
 const INNERAPI_CALL_PATH = "/api/v1/studio/innerapi/integration_apis/call";
-const API_NAME = "openclaw.get_doctor_ctx";
 const BIZ_TYPE = "openclaw";
 const API_TIMEOUT_MS = 3e4;
-const MAX_LOG_BODY = 500;
 let clientInstance = null;
 function getHttpClient() {
 	if (!clientInstance) {
@@ -2552,6 +3599,35 @@ function getHttpClient() {
 	}
 	return clientInstance;
 }
+//#endregion
+//#region src/innerapi/fetchCtx.ts
+/**
+* CLI-side client for studio_server's `openclaw.get_doctor_ctx` inner API.
+*
+* Mirrors the proven pattern in
+* `packages/openclaw/extensions/miaoda/src/shared/innerapi-client.ts`:
+*
+*   - `baseURL` from env `FORCE_AUTHN_INNERAPI_DOMAIN` (injected into every
+*     openclaw sandbox).
+*   - `platform: { enabled, tokenProvider: { type: 'file' } }` — the platform
+*     plugin auto-attaches the sandbox's identity JWT loaded from the
+*     rootfs token file. Same auth that the miaoda extension already uses.
+*   - POST `/api/v1/studio/innerapi/integration_apis/call`
+*     body = { apiName: 'openclaw.get_doctor_ctx', input: {}, bizType: 'openclaw' }
+*     — the server-side APICall dispatches by `apiName` to
+*     `GetDoctorCtxAPICall.Execute` whose `Name()` returns that string.
+*   - Response envelope: { status_code, error_msg?, data: { success, output, ... } }.
+*     `status_code` is a *string* ('0' = success).
+*     Actual DoctorCtx lives in `data.output`.
+*   - `x-tt-logid` header is logged on every failure path for cross-service
+*     traceability.
+*
+* On HTTP 401 (sandbox identity token expired/invalid) we `process.exit(77)`
+* instead of throwing — the outer catch in `index.ts` cannot then mask auth
+* failure as a generic "Error: ...". Caller (e.g. sandbox_console) sees the
+* exit code and can refresh the token + retry.
+*/
+const API_NAME$1 = "openclaw.get_doctor_ctx";
 /**
 * Fetch the sandbox's DoctorCtx by calling the innerapi's generic
 * `integration_apis/call` dispatcher with apiName=openclaw.get_doctor_ctx.
@@ -2559,14 +3635,19 @@ function getHttpClient() {
 * Throws on HTTP (non-401) / decode / business errors. On 401 calls
 * `process.exit(77)` directly.
 */
-async function fetchCtxViaInnerApi() {
+async function fetchCtxViaInnerApi(opts = {}) {
 	const client = getHttpClient();
+	const input = {};
+	if (opts.populate !== void 0) input.populate = opts.populate;
+	if (opts.caller) input.caller = opts.caller;
+	if (opts.traceId) input.traceId = opts.traceId;
 	const body = {
-		apiName: API_NAME,
-		input: {},
+		apiName: API_NAME$1,
+		input,
 		bizType: BIZ_TYPE
 	};
 	const start = Date.now();
+	console.error(`fetchCtx: start populate=${JSON.stringify(opts.populate ?? {})}${opts.caller ? ` caller=${opts.caller}` : ""}${opts.traceId ? ` traceId=${opts.traceId}` : ""}`);
 	const headers = { "Content-Type": "application/json" };
 	const ttEnv = process.env.X_TT_ENV;
 	if (ttEnv) headers["x-tt-env"] = ttEnv;
@@ -2596,7 +3677,7 @@ async function fetchCtxViaInnerApi() {
 		}
 		let preview = "";
 		try {
-			preview = (await response.text()).slice(0, MAX_LOG_BODY);
+			preview = (await response.text()).slice(0, 500);
 		} catch {}
 		throw new Error(`fetchCtxViaInnerApi HTTP ${response.status} ${response.statusText} (logID: ${logId}, durationMs: ${durationMs})${preview ? ` body=${preview}` : ""}`);
 	}
@@ -2610,6 +3691,7 @@ async function fetchCtxViaInnerApi() {
 	if (envelope.data && envelope.data.success === false) throw new Error(`fetchCtxViaInnerApi business error (logID: ${logId}, durationMs: ${durationMs}): ${envelope.error_msg ?? JSON.stringify(envelope.data)}`);
 	const output = envelope.data?.output;
 	if (!output || typeof output !== "object") throw new Error(`fetchCtxViaInnerApi empty/invalid output (logID: ${logId}, durationMs: ${durationMs})`);
+	console.error(`fetchCtx: ok logId=${logId} durationMs=${durationMs} groups=[${Object.keys(output).join(",")}]`);
 	return output;
 }
 //#endregion
@@ -2628,26 +3710,40 @@ async function fetchCtxViaInnerApi() {
 */
 function normalizeCtx(raw) {
 	const r = raw ?? {};
-	if (r.app && typeof r.app === "object" && r.install && typeof r.install === "object" && r.secrets && typeof r.secrets === "object" && r.reset && typeof r.reset === "object") return {
-		app: fillApp(r.app),
-		install: {
-			openclawTag: r.install.openclawTag,
-			ossFileMap: r.install.ossFileMap ?? {}
-		},
-		secrets: {
-			secretsContent: r.secrets.secretsContent ?? "",
-			providerKeyContent: r.secrets.providerKeyContent ?? ""
-		},
-		reset: {
-			templateVars: r.reset.templateVars ?? {},
-			coreBackup: r.reset.coreBackup
-		}
-	};
+	if (r.app && typeof r.app === "object" && r.install && typeof r.install === "object" && r.secrets && typeof r.secrets === "object" && r.reset && typeof r.reset === "object") {
+		const templateVars = r.app.templateVars && typeof r.app.templateVars === "object" ? r.app.templateVars : r.reset.templateVars ?? {};
+		const recommendedOpenclawTag = typeof r.app.recommendedOpenclawTag === "string" && r.app.recommendedOpenclawTag !== "" ? r.app.recommendedOpenclawTag : typeof r.install.openclawTag === "string" && r.install.openclawTag !== "" ? r.install.openclawTag : void 0;
+		return {
+			app: {
+				...fillApp(r.app),
+				templateVars,
+				recommendedOpenclawTag
+			},
+			install: {
+				openclawTag: r.install.openclawTag,
+				ossFileMap: r.install.ossFileMap ?? {}
+			},
+			secrets: {
+				secretsContent: r.secrets.secretsContent ?? "",
+				providerKeyContent: r.secrets.providerKeyContent ?? ""
+			},
+			reset: {
+				templateVars: r.reset.templateVars ?? {},
+				coreBackup: r.reset.coreBackup
+			}
+		};
+	}
 	const vars = r.vars ?? {};
 	const resetData = r.resetData ?? {};
 	const repairData = r.repairData ?? {};
+	const legacyTemplateVars = vars.templateVars && typeof vars.templateVars === "object" ? vars.templateVars : resetData.templateVars ?? r.templateVars ?? {};
+	const legacyRecommendedTag = typeof vars.recommendedOpenclawTag === "string" && vars.recommendedOpenclawTag !== "" ? vars.recommendedOpenclawTag : typeof resetData.openclawTag === "string" && resetData.openclawTag !== "" ? resetData.openclawTag : typeof r.openclawTag === "string" && r.openclawTag !== "" ? r.openclawTag : void 0;
 	return {
-		app: fillApp(vars),
+		app: {
+			...fillApp(vars),
+			templateVars: legacyTemplateVars,
+			recommendedOpenclawTag: legacyRecommendedTag
+		},
 		install: {
 			openclawTag: r.install?.openclawTag ?? r.openclawTag,
 			ossFileMap: r.install?.ossFileMap ?? resetData.ossFileMap ?? r.ossFileMap ?? {}
@@ -2700,11 +3796,15 @@ function fillApp(src) {
 function buildCheckInput(raw, configPathOverride) {
 	const r = raw ?? {};
 	if (r.configPath && r.vars) {
-		if (configPathOverride) return {
+		const out = configPathOverride ? {
 			...r,
 			configPath: configPathOverride
+		} : { ...r };
+		if (out.vars && !out.vars.templateVars) out.vars = {
+			...out.vars,
+			templateVars: out.templateVars ?? {}
 		};
-		return r;
+		return out;
 	}
 	const ctx = normalizeCtx(raw);
 	return {
@@ -2718,19 +3818,25 @@ function buildCheckInput(raw, configPathOverride) {
 			baseURL: ctx.app.baseURL,
 			expectedOrigins: ctx.app.expectedOrigins,
 			providerFilePath: PROVIDER_FILE_PATH,
-			secretsFilePath: SECRETS_FILE_PATH
+			secretsFilePath: SECRETS_FILE_PATH,
+			templateVars: ctx.app.templateVars,
+			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag
 		},
-		templateVars: ctx.reset.templateVars
+		templateVars: ctx.app.templateVars
 	};
 }
 function buildRepairInput(raw, configPathOverride) {
 	const r = raw ?? {};
 	if (r.configPath && r.vars) {
-		if (configPathOverride) return {
+		const out = configPathOverride ? {
 			...r,
 			configPath: configPathOverride
+		} : { ...r };
+		if (out.vars && !out.vars.templateVars) out.vars = {
+			...out.vars,
+			templateVars: out.templateVars ?? {}
 		};
-		return r;
+		return out;
 	}
 	const ctx = normalizeCtx(raw);
 	return {
@@ -2744,23 +3850,29 @@ function buildRepairInput(raw, configPathOverride) {
 			baseURL: ctx.app.baseURL,
 			expectedOrigins: ctx.app.expectedOrigins,
 			providerFilePath: PROVIDER_FILE_PATH,
-			secretsFilePath: SECRETS_FILE_PATH
+			secretsFilePath: SECRETS_FILE_PATH,
+			templateVars: ctx.app.templateVars,
+			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag
 		},
 		repairData: {
 			secretsContent: ctx.secrets.secretsContent,
 			providerKeyContent: ctx.secrets.providerKeyContent
 		},
-		templateVars: ctx.reset.templateVars
+		templateVars: ctx.app.templateVars
 	};
 }
 function buildResetInput(raw, configPathOverride) {
 	const r = raw ?? {};
 	if (r.configPath && r.vars && r.resetData) {
-		if (configPathOverride) return {
+		const out = configPathOverride ? {
 			...r,
 			configPath: configPathOverride
+		} : { ...r };
+		if (out.vars && !out.vars.templateVars) out.vars = {
+			...out.vars,
+			templateVars: out.resetData?.templateVars ?? {}
 		};
-		return r;
+		return out;
 	}
 	const ctx = normalizeCtx(raw);
 	return {
@@ -2774,7 +3886,9 @@ function buildResetInput(raw, configPathOverride) {
 			baseURL: ctx.app.baseURL,
 			expectedOrigins: ctx.app.expectedOrigins,
 			providerFilePath: PROVIDER_FILE_PATH,
-			secretsFilePath: SECRETS_FILE_PATH
+			secretsFilePath: SECRETS_FILE_PATH,
+			templateVars: ctx.app.templateVars,
+			recommendedOpenclawTag: ctx.app.recommendedOpenclawTag
 		},
 		resetData: {
 			templateVars: ctx.reset.templateVars,
@@ -2788,30 +3902,381 @@ function buildResetInput(raw, configPathOverride) {
 }
 //#endregion
 //#region src/doctor.ts
+/**
+* Per-rule orchestration with telemetry-friendly outcomes.
+*
+* Flow per rule (in topological order, after disabledRules / dependsOn /
+* skipWhen filtering):
+*
+*   1. validate            — exception → status='error', abort
+*   2. pass                → status='pass'
+*   3. fail and !opts.fix  → status='failed' (with v1.message)
+*   4. fail and opts.fix   →
+*      a. only standard-mode rules attempt repair; ai/reset stay 'failed'
+*      b. repair             — exception → status='error', abort
+*      c. re-validate        — exception → status='error', abort
+*      d. v2.pass            → status='fixed' (before = v1.message)
+*      e. v2.fail            → status='still-broken' (before+after)
+*
+* Aborted runs return a partial DoctorReport with `aborted: true`. The
+* caller should `console.log(JSON.stringify(report))` first, THEN
+* `process.exit(1)` so sweep / telemetry callers always get the partial
+* data plus the non-zero signal.
+*
+* Config writeback: if opts.fix and at least one rule transitioned
+* pass→fixed, the in-memory ctx.config is JSON-serialized and written
+* back to opts.configPath. On abort, no write — keep the on-disk file
+* matching whatever was successful before the failure.
+*
+* Secrets file / provider-key / restart-command writes are NOT performed
+* by doctor. Those belong to the standalone `repair` subcommand which
+* sandbox_console push uses. Doctor is for diagnosis + per-rule fix
+* with structured outcomes.
+*/
 async function runDoctor(rawCtx, opts) {
-	if (opts.fix && opts.rules.length > 0) {
-		const repairInput = buildRepairInput(rawCtx, opts.configPath);
-		repairInput.failedRules = opts.rules;
-		repairInput.repairData = {
-			...repairInput.repairData ?? {},
-			restartCommand: ""
-		};
-		return { repair: runRepair(repairInput) };
-	}
-	const check = runCheck(buildCheckInput(rawCtx, opts.configPath));
-	if (!opts.fix) return { failedRules: check.failedRules };
-	const repairInput = buildRepairInput(rawCtx, opts.configPath);
-	repairInput.failedRules = check.failedRules.standard;
+	const results = [];
+	console.error(`runDoctor: begin fix=${opts.fix} rules=[${opts.rules.join(",")}] configPath=${opts.configPath ?? "(default)"}`);
+	const checkInput = buildCheckInput(rawCtx, opts.configPath);
+	let configRaw;
+	let config;
+	try {
+		configRaw = readFile(checkInput.configPath);
+	} catch (e) {
+		console.error(`runDoctor: read config failed at ${checkInput.configPath} message=${e.message}`);
+		return finalize([{
+			rule: "config_syntax_check",
+			status: "error",
+			message: "read config failed: " + e.message
+		}], true);
+	}
+	try {
+		config = loadJSON5().parse(configRaw);
+	} catch (e) {
+		console.error(`runDoctor: config JSON5 parse failed message=${e.message}`);
+		results.push({
+			rule: "config_syntax_check",
+			status: opts.fix ? "still-broken" : "failed",
+			message: "config JSON5 parse failed: " + e.message
+		});
+		return finalize(results, true);
+	}
+	const ctx = {
+		config,
+		configPath: checkInput.configPath,
+		vars: checkInput.vars,
+		providerDeps: analyzeProviderDeps(config)
+	};
+	const originalConfig = opts.showDiff && opts.fix ? deepClone(config) : null;
+	const allRules = getAllRules();
+	const onlyKeys = opts.rules.length > 0 ? new Set(opts.rules) : null;
+	const skipRuleKeys = new Set(opts.skipRules ?? []);
+	const disabledKeys = new Set([...checkInput.disabledRules ?? [], ...skipRuleKeys]);
+	if (onlyKeys) {
+		const registeredKeys = new Set(allRules.map((r) => r.meta.key));
+		for (const k of opts.rules) if (!registeredKeys.has(k)) results.push({
+			rule: k,
+			status: "unknown"
+		});
+	}
+	const failedKeys = /* @__PURE__ */ new Set();
+	let configDirty = false;
+	let aborted = false;
+	const hasMiaoda = shouldCheckMiaodaRules(config);
+	const plannedRules = allRules.filter((r) => !onlyKeys || onlyKeys.has(r.meta.key));
+	console.error(`runDoctor: planned ${plannedRules.length} rules hasMiaoda=${hasMiaoda} providerDeps=${JSON.stringify(ctx.providerDeps)}`);
+	outer: for (const rule of allRules) {
+		const key = rule.meta.key;
+		if (onlyKeys && !onlyKeys.has(key)) continue;
+		if (disabledKeys.has(key)) {
+			const reason = skipRuleKeys.has(key) ? "--skip-rule" : "disabledRules";
+			console.error(`rule ${key}: skipped reason=${reason}`);
+			results.push({
+				rule: key,
+				status: "skipped",
+				message: reason
+			});
+			continue;
+		}
+		if (rule.meta.dependsOn?.some((d) => failedKeys.has(d))) {
+			const blockers = rule.meta.dependsOn?.filter((d) => failedKeys.has(d)).join(",");
+			console.error(`rule ${key}: skipped reason=dependsOn-failed blockers=${blockers}`);
+			results.push({
+				rule: key,
+				status: "skipped",
+				message: `dependsOn failed: ${blockers}`
+			});
+			continue;
+		}
+		if (rule.meta.skipWhen?.({
+			hasMiaoda,
+			deps: ctx.providerDeps
+		})) {
+			console.error(`rule ${key}: skipped reason=skipWhen`);
+			results.push({
+				rule: key,
+				status: "skipped",
+				message: "skipWhen"
+			});
+			continue;
+		}
+		const tValidate = Date.now();
+		let v1;
+		try {
+			v1 = rule.validate(ctx);
+		} catch (e) {
+			const msg = e.message;
+			console.error(`rule ${key}: validate -> error durationMs=${Date.now() - tValidate} message=${msg}`);
+			results.push({
+				rule: key,
+				status: "error",
+				message: "validate threw: " + msg
+			});
+			aborted = true;
+			break outer;
+		}
+		if (v1.pass) {
+			console.error(`rule ${key}: validate -> pass durationMs=${Date.now() - tValidate}`);
+			results.push({
+				rule: key,
+				status: "pass"
+			});
+			continue;
+		}
+		if (!opts.fix) {
+			console.error(`rule ${key}: validate -> failed durationMs=${Date.now() - tValidate} message=${v1.message ?? ""}`);
+			results.push({
+				rule: key,
+				status: "failed",
+				message: v1.message,
+				action: v1.action
+			});
+			failedKeys.add(key);
+			continue;
+		}
+		if (rule.meta.repairMode !== "standard") {
+			console.error(`rule ${key}: validate -> failed (no auto-repair, repairMode=${rule.meta.repairMode}) durationMs=${Date.now() - tValidate} message=${v1.message ?? ""}`);
+			results.push({
+				rule: key,
+				status: "failed",
+				message: v1.message,
+				action: v1.action
+			});
+			failedKeys.add(key);
+			continue;
+		}
+		console.error(`rule ${key}: validate -> failed durationMs=${Date.now() - tValidate} message=${v1.message ?? ""}`);
+		const tRepair = Date.now();
+		try {
+			rule.repair(ctx);
+		} catch (e) {
+			const msg = e.message;
+			console.error(`rule ${key}: repair -> error durationMs=${Date.now() - tRepair} message=${msg}`);
+			results.push({
+				rule: key,
+				status: "error",
+				message: "repair threw: " + msg,
+				before: v1.message
+			});
+			aborted = true;
+			break outer;
+		}
+		console.error(`rule ${key}: repair -> ok durationMs=${Date.now() - tRepair}`);
+		configDirty = true;
+		const tRevalidate = Date.now();
+		let v2;
+		try {
+			v2 = rule.validate(ctx);
+		} catch (e) {
+			const msg = e.message;
+			console.error(`rule ${key}: revalidate -> error durationMs=${Date.now() - tRevalidate} message=${msg}`);
+			results.push({
+				rule: key,
+				status: "error",
+				message: "post-repair validate threw: " + msg,
+				before: v1.message
+			});
+			aborted = true;
+			break outer;
+		}
+		if (v2.pass) {
+			console.error(`rule ${key}: revalidate -> pass (fixed) durationMs=${Date.now() - tRevalidate}`);
+			results.push({
+				rule: key,
+				status: "fixed",
+				before: v1.message
+			});
+		} else {
+			console.error(`rule ${key}: revalidate -> still-broken durationMs=${Date.now() - tRevalidate} after=${v2.message ?? ""}`);
+			results.push({
+				rule: key,
+				status: "still-broken",
+				before: v1.message,
+				after: v2.message
+			});
+			failedKeys.add(key);
+		}
+	}
+	let backupPath = null;
+	if (configDirty && !aborted) {
+		backupPath = backupConfigSync(ctx.configPath);
+		const serialized = JSON.stringify(ctx.config, null, 2);
+		try {
+			writeFile(ctx.configPath, serialized);
+			console.error(`runDoctor: writeback ok path=${ctx.configPath} bytes=${serialized.length}`);
+		} catch (e) {
+			const msg = e.message;
+			console.error(`runDoctor: writeback failed path=${ctx.configPath} message=${msg}`);
+			results.push({
+				rule: "*config-writeback*",
+				status: "error",
+				message: "config write failed: " + msg
+			});
+			aborted = true;
+		}
+	} else if (configDirty && aborted) console.error("runDoctor: writeback skipped (aborted, leaving on-disk config untouched)");
+	else console.error("runDoctor: writeback skipped (no rule transitioned to fixed)");
+	console.error(`runDoctor: end aborted=${aborted} results=${results.length}`);
+	if (originalConfig !== null) {
+		const d = (0, json_diff.diffString)(originalConfig, ctx.config, { color: false });
+		console.error(`runDoctor: diff backupPath=${backupPath ?? "(none)"} changed=${!!d}`);
+		if (d) {
+			process.stdout.write(`original:    ${backupPath ?? "(none)"}\n`);
+			process.stdout.write(`after fixed: ${ctx.configPath}\n`);
+			process.stdout.write("diff:\n");
+			process.stdout.write(d);
+			if (!d.endsWith("\n")) process.stdout.write("\n");
+		} else process.stdout.write("(no openclaw.json changes)\n");
+	}
+	return finalize(results, aborted);
+}
+/** Deep-clone a JSON-shaped value. Uses structuredClone where available
+*  (Node 17+); falls back to JSON round-trip otherwise. The config we
+*  clone here is JSON5-parsed so it's strictly tree-shaped — no
+*  references, no functions — making both paths equivalent. */
+function deepClone(v) {
+	if (typeof structuredClone === "function") return structuredClone(v);
+	return JSON.parse(JSON.stringify(v));
+}
+function finalize(results, aborted) {
+	const summary = {
+		pass: 0,
+		failed: 0,
+		fixed: 0,
+		stillBroken: 0,
+		skipped: 0,
+		error: 0,
+		unknown: 0
+	};
+	for (const r of results) switch (r.status) {
+		case "pass":
+			summary.pass++;
+			break;
+		case "failed":
+			summary.failed++;
+			break;
+		case "fixed":
+			summary.fixed++;
+			break;
+		case "still-broken":
+			summary.stillBroken++;
+			break;
+		case "skipped":
+			summary.skipped++;
+			break;
+		case "error":
+			summary.error++;
+			break;
+		case "unknown":
+			summary.unknown++;
+			break;
+	}
 	return {
-		check,
-		repair: runRepair(repairInput)
+		results,
+		summary,
+		aborted
+	};
+}
+//#endregion
+//#region src/innerapi/reportCliRun.ts
+/**
+* CLI-side client for studio_server's `openclaw.report_cli_run` inner
+* API — the unified telemetry sink for every CLI command.
+*
+* Best-effort: gated by `DoctorCtx.telemetry.reportCliRun` returned by
+* `get_doctor_ctx`. When the server hasn't rolled out the API yet the
+* flag is absent and the CLI never invokes this. When enabled, the CLI
+* fires-and-forgets one report per command after work is done.
+*
+* Failures here MUST NOT change exit code or otherwise affect the
+* command's data path — telemetry is auxiliary. Caller is expected to
+* `try/catch` and just `console.error` on rejection.
+*
+* Replaces the earlier `openclaw.report_doctor_result` API. The schema
+* generalises so check / repair / install-* / download-resource / reset
+* (worker) can all use the same envelope; per-command shape lives under
+* `result`.
+*/
+const API_NAME = "openclaw.report_cli_run";
+async function reportCliRun(opts) {
+	const client = getHttpClient();
+	const input = {
+		command: opts.command,
+		runId: opts.runId,
+		version: opts.version,
+		invocation: opts.invocation,
+		durationMs: opts.durationMs,
+		success: opts.success
+	};
+	if (opts.caller) input.caller = opts.caller;
+	if (opts.traceId) input.traceId = opts.traceId;
+	if (opts.result !== void 0) input.result = opts.result;
+	if (opts.error) input.error = opts.error;
+	const body = {
+		apiName: API_NAME,
+		input,
+		bizType: BIZ_TYPE
 	};
+	const headers = { "Content-Type": "application/json" };
+	const ttEnv = process.env.X_TT_ENV;
+	if (ttEnv) headers["x-tt-env"] = ttEnv;
+	const start = Date.now();
+	console.error(`reportCliRun: start command=${opts.command} success=${opts.success} version=${opts.version} invocation=${JSON.stringify(opts.invocation)} durationMs=${opts.durationMs}`);
+	let response;
+	try {
+		response = await client.post(INNERAPI_CALL_PATH, body, { headers });
+	} catch (e) {
+		if (e instanceof _lark_apaas_http_client.HttpError && e.response) {
+			const status = e.response.status;
+			const logId = e.response.headers.get("x-tt-logid") ?? "";
+			throw new Error(`reportCliRun HTTP ${status} ${e.response.statusText} (logID: ${logId})`);
+		}
+		const msg = e instanceof Error ? e.message : String(e);
+		throw new Error(`reportCliRun network error: ${msg}`);
+	}
+	const logId = response.headers.get("x-tt-logid") ?? "";
+	if (!response.ok) {
+		let preview = "";
+		try {
+			preview = (await response.text()).slice(0, 500);
+		} catch {}
+		throw new Error(`reportCliRun HTTP ${response.status} ${response.statusText} (logID: ${logId})${preview ? ` body=${preview}` : ""}`);
+	}
+	let envelope;
+	try {
+		envelope = await response.json();
+	} catch {
+		console.error(`reportCliRun: ok logId=${logId} httpDurationMs=${Date.now() - start} (body unparseable, treated as success)`);
+		return;
+	}
+	if (envelope.status_code !== void 0 && envelope.status_code !== "0") throw new Error(`reportCliRun API error (logID: ${logId}): code=${envelope.status_code}, message=${envelope.error_msg ?? ""}`);
+	if (envelope.data && envelope.data.success === false) throw new Error(`reportCliRun business error (logID: ${logId}): ${envelope.error_msg ?? JSON.stringify(envelope.data)}`);
+	console.error(`reportCliRun: ok logId=${logId} httpDurationMs=${Date.now() - start}`);
 }
 //#endregion
 //#region src/help.ts
 const BIN = "mclaw-diagnose";
 function versionBanner() {
-	return `v0.1.4-alpha.0`;
+	return `v0.1.4-alpha.2`;
 }
 const COMMANDS = [
 	{
@@ -2819,46 +4284,85 @@ const COMMANDS = [
 		hidden: false,
 		summary: "Diagnose openclaw config; apply repairs with --fix",
 		help: `USAGE
-  ${BIN} doctor [--fix] [--rule=<key>]...
+  ${BIN} doctor [--fix] [--show-diff] [--rule=<key>]... [--skip-rule=<key>]...
+                [--caller=<n>] [--trace-id=<id>]
 
 DESCRIPTION
-  Fetches DoctorCtx via innerapi, then runs one of three modes depending
-  on the flags. Output is a single JSON object on stdout.
+  Fetches DoctorCtx via innerapi, then orchestrates each rule:
+
+    validate (always)
+      pass               → status='pass'
+      fail and !--fix    → status='failed'
+      fail and --fix
+        repair → re-validate
+          pass           → status='fixed'
+          still fail     → status='still-broken'
 
-MODES
-  (no flags)              Check-only. Runs the rule engine against the
-                          sandbox's current openclaw config and returns
-                            { failedRules: { standard, ai, reset } }
-                          No files are mutated. Use this when you just
-                          want to know what's wrong.
+  Output is a single JSON object on stdout:
 
-  --fix                   Check + repair-all. First runs the rule engine,
-                          then repairs every failing standard-mode rule.
-                          Returns
-                            { check: {...}, repair: {...} }
-                          Use this as the default "fix everything" action.
+    {
+      "results": [{ "rule": "...", "status": "...", "message"?: "...", ...}],
+      "summary": { "pass": N, "failed": N, "fixed": N, "stillBroken": N,
+                   "skipped": N, "error": N, "unknown": N },
+      "aborted": false
+    }
 
-  --fix --rule=<key>...   Targeted repair. Skips the check pass entirely
-                          and runs repair against the listed rule keys
-                          only. Unknown keys are silently ignored.
-                          Returns { repair: {...} } with only those
-                          rules' outcomes. Use this when you already
-                          know which rules need fixing.
+STATUSES
+  pass            Rule's validate passed; no repair attempted.
+  failed          Rule's validate failed; --fix was not given.
+  fixed           Rule's validate failed; repair ran; re-validate passed.
+  still-broken    Rule's validate failed; repair ran; re-validate still failed.
+  skipped         Rule excluded by disabledRules / --skip-rule / dependsOn /
+                  skipWhen.
+  error           validate or repair threw an exception. ABORTS the run —
+                  exit code becomes 1; partial 'results' still written to stdout.
+  unknown         --rule=<k> with k not registered. Reported, not aborting.
 
 OPTIONS
-  --fix                   Enable repair. See MODES above.
-  --rule=<key>            Repair only this rule key. Repeatable. Only
-                          meaningful together with --fix.
+  --fix              Enable repair. Without it, validate runs but failures
+                     are reported as 'failed' instead of being repaired.
+  --show-diff        With --fix: replace the JSON report on stdout with
+                     a plain-text section showing
+                       original:    <backup path>
+                       after fixed: <openclaw.json path>
+                       diff:
+                       <unified-diff body, same format as \`json-diff\`>
+                     Interactive flag — sandbox_console's push path never
+                     sets it, so the JSON contract is preserved for that
+                     caller. No-op without --fix (no mutation, no diff).
+  --rule=<key>       Whitelist: restrict the run to this rule key (repeatable).
+                     Without --rule, every registered rule runs. With --rule,
+                     the planner narrows the innerapi vars fetch to just
+                     that rule's needs (see lazy-vars).
+  --skip-rule=<key>  Blacklist: skip the rule entirely — neither validate
+                     nor repair runs (repeatable). Outcome is 'skipped' with
+                     message='--skip-rule'. Stacks with the server's
+                     disabledRules. Skipped rules also subtract their vars
+                     from the planner's union.
+  --caller=<name>    Optional metadata; passed through verbatim to innerapi
+                     (fetchCtx + report_cli_run body.input.caller).
+                     E.g. "sweep_job", "user_yxy". Server uses for audit /
+                     correlation; CLI doesn't act on it.
+  --trace-id=<id>    Optional log-correlation id; passed through verbatim
+                     to innerapi body.input.traceId. Typically the upstream
+                     caller's logID (e.g. sandbox_console's request id).
 
 EXAMPLES
-  ${BIN} doctor                                            # check only
-  ${BIN} doctor --fix                                      # check then repair all
-  ${BIN} doctor --fix --rule=gateway                       # repair 'gateway' only
-  ${BIN} doctor --fix --rule=gateway --rule=jwt_token      # repair multiple
+  ${BIN} doctor                                          # diagnose, no fixes
+  ${BIN} doctor --fix                                    # diagnose + fix everything
+  ${BIN} doctor --fix --rule=gateway                     # fix only 'gateway'
+  ${BIN} doctor --fix --skip-rule=feishu_channel         # fix everything except feishu
+  ${BIN} doctor --fix --skip-rule=feishu_channel --skip-rule=feishu_default_account
+                                                         # skip multiple rules
+  ${BIN} doctor --fix --show-diff                        # see exactly what changed
+                                                         # (plain-text diff after
+                                                         # the JSON report)
 
 EXIT CODES
-  0    success
-  1    generic error
+  0    completed (results may include 'failed' / 'still-broken' — those
+       are normal data outcomes, not run failures)
+  1    aborted because a rule's validate or repair threw. Partial
+       results still on stdout.
   77   innerapi authentication failed (sandbox JWT expired/invalid)
 `
 	},
@@ -3047,6 +4551,62 @@ function formatCommandHelp(name) {
 	return cmd.help;
 }
 //#endregion
+//#region src/rule-engine/planner.ts
+/**
+* Compute the union of `Vars` field names that the **enabled** rules will
+* actually read. Sources from each rule's `@Rule({ usesVars: [...] })`
+* declaration; drift is caught at test time by `strict-vars.test.ts`.
+*
+* Inactive rules (skipped via skipWhen at runtime) are STILL counted —
+* skipWhen depends on parsed-config state we don't have at planning time.
+* Slight over-fetch in those cases, but no correctness issue.
+*
+* Result is stable-sorted for deterministic logging / test snapshots.
+*/
+function planVarsFields(opts = {}) {
+	const disabled = new Set(opts.disabled ?? []);
+	const only = opts.onlyRules && opts.onlyRules.length > 0 ? new Set(opts.onlyRules) : null;
+	const fields = /* @__PURE__ */ new Set();
+	for (const rule of getAllRules()) {
+		const key = rule.meta.key;
+		if (disabled.has(key)) continue;
+		if (only && !only.has(key)) continue;
+		for (const f of rule.meta.usesVars ?? []) fields.add(f);
+	}
+	return [...fields].sort();
+}
+/**
+* Plan a `populate` selector for a given subcommand.
+*
+* Per-command group needs:
+*
+*   doctor / check    app (rule-driven)
+*   repair            app + secrets   (writes secretsContent / providerKeyContent)
+*   reset             app + secrets + install + reset (the works)
+*   install-*         install only
+*
+* Empty result (`{}`) means "no group needed" — the CLI can skip the
+* `fetchCtxViaInnerApi` call entirely and run with a synthetic empty ctx.
+* Happens e.g. when the user pinned `--rule=<key>` to a vars-free rule on
+* `doctor`.
+*/
+function planCtxPopulate(opts) {
+	if (opts.command === "install") return { install: true };
+	const populate = {};
+	const appFields = planVarsFields({
+		disabled: opts.disabled,
+		onlyRules: opts.onlyRules
+	});
+	if (appFields.length > 0) populate.app = appFields;
+	if (opts.command === "repair") populate.secrets = true;
+	else if (opts.command === "reset") {
+		populate.secrets = true;
+		populate.install = true;
+		populate.reset = true;
+	}
+	return populate;
+}
+//#endregion
 //#region src/index.ts
 const args = node_process.default.argv.slice(2);
 const mode = args.find((a) => !a.startsWith("-"));
@@ -3080,8 +4640,39 @@ function getMultiFlag(args, name) {
 	const prefix = `--${name}=`;
 	return args.filter((a) => a.startsWith(prefix)).map((a) => a.slice(prefix.length));
 }
+/**
+* Per-case telemetry helper: fires `openclaw.report_cli_run` once with
+* the command's outcome. Always called — the previous server-flag gate
+* was removed (server controls receipt by routing the apiName).
+*
+* Best-effort: a thrown reportCliRun is logged to cli.log and swallowed.
+* Never alters the data path's exit code — the user-visible work has
+* already finished by the time we report.
+*
+* `raw` is kept in the signature for backward symmetry with the doctor
+* case but is no longer consulted.
+*/
+async function reportRun(command, rc, _raw, invocation, durationMs, outcome) {
+	console.error(`${command}: telemetry calling report_cli_run`);
+	try {
+		await reportCliRun({
+			command,
+			runId: rc.runId,
+			version: getVersion(),
+			invocation,
+			durationMs,
+			caller: rc.caller,
+			traceId: rc.traceId,
+			success: outcome.success,
+			result: outcome.result,
+			error: outcome.error ? { message: outcome.error.message } : void 0
+		});
+	} catch (e) {
+		console.error(`[telemetry] reportCliRun failed: ${e.message}`);
+	}
+}
 async function main() {
-	installStderrMirror();
+	installStderrMirror({ stderrEnabled: args.includes("-x") });
 	const helpFlags = parseHelpFlags(args);
 	if (mode && helpFlags.help) {
 		const body = formatCommandHelp(mode);
@@ -3101,22 +4692,79 @@ async function main() {
 		node_process.default.stderr.write(formatTopLevelHelp(helpFlags.expert));
 		node_process.default.exit(1);
 	}
+	const caller = getFlag(args, "caller");
+	const traceId = getFlag(args, "trace-id");
+	const rc = setRunContext({
+		caller,
+		traceId
+	});
+	const t0 = Date.now();
+	console.error(`${mode}: begin argv=[${args.join(" ")}] version=${getVersion()} traceId=${traceId ?? "-"} caller=${caller ?? "-"} runIdGenerated=${rc.generated}`);
 	switch (mode) {
-		case "check":
+		case "check": {
+			const raw = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
+				populate: planCtxPopulate({ command: "check" }),
+				caller,
+				traceId
+			});
+			const { legacy, report } = runCheckWithReport(buildCheckInput(raw));
+			console.log(JSON.stringify(legacy));
+			await reportRun("check", rc, raw, args.join(" "), Date.now() - t0, {
+				success: !report.aborted,
+				result: report,
+				error: report.aborted ? /* @__PURE__ */ new Error("check run aborted") : void 0
+			});
+			break;
+		}
 		case "repair": {
-			const raw = parseCtxFlag(args) ?? await fetchCtxViaInnerApi();
-			if (mode === "check") console.log(JSON.stringify(runCheck(buildCheckInput(raw))));
-			else console.log(JSON.stringify(runRepair(buildRepairInput(raw))));
+			const raw = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
+				populate: planCtxPopulate({ command: "repair" }),
+				caller,
+				traceId
+			});
+			const { legacy, report } = runRepairWithReport(buildRepairInput(raw));
+			console.log(JSON.stringify(legacy));
+			await reportRun("repair", rc, raw, args.join(" "), Date.now() - t0, {
+				success: legacy.success,
+				result: report,
+				error: legacy.success ? void 0 : new Error(legacy.error ?? "repair failed")
+			});
 			break;
 		}
 		case "doctor": {
 			const fix = args.includes("--fix");
 			const rules = getMultiFlag(args, "rule");
-			const result = await runDoctor(await fetchCtxViaInnerApi(), {
+			const skipRules = getMultiFlag(args, "skip-rule");
+			const showDiff = args.includes("--show-diff");
+			const populate = planCtxPopulate({
+				command: "doctor",
+				onlyRules: fix && rules.length > 0 ? rules : void 0,
+				disabled: skipRules
+			});
+			console.error(`doctor: populate=${JSON.stringify(populate)} fix=${fix} rules=[${rules.join(",")}] skipRules=[${skipRules.join(",")}]`);
+			let raw;
+			if (Object.keys(populate).length === 0) {
+				console.error("doctor: skipping fetchCtx (empty populate)");
+				raw = {};
+			} else raw = await fetchCtxViaInnerApi({
+				populate,
+				caller,
+				traceId
+			});
+			const result = await runDoctor(raw, {
 				fix,
-				rules
+				rules,
+				skipRules,
+				showDiff
 			});
-			console.log(JSON.stringify(result));
+			if (!(showDiff && fix)) console.log(JSON.stringify(result));
+			await reportRun("doctor", rc, raw, args.join(" "), Date.now() - t0, {
+				success: !result.aborted,
+				result,
+				error: result.aborted ? /* @__PURE__ */ new Error("doctor run aborted") : void 0
+			});
+			console.error(`doctor: end aborted=${result.aborted} totalMs=${Date.now() - t0} summary=${JSON.stringify(result.summary)}`);
+			if (result.aborted) node_process.default.exit(1);
 			break;
 		}
 		case "reset":
@@ -3125,7 +4773,11 @@ async function main() {
 				let ctxBase64;
 				if (ctxArg) ctxBase64 = ctxArg.slice(6);
 				else {
-					const fetched = await fetchCtxViaInnerApi();
+					const fetched = await fetchCtxViaInnerApi({
+						populate: planCtxPopulate({ command: "reset" }),
+						caller,
+						traceId
+					});
 					ctxBase64 = Buffer.from(JSON.stringify(fetched), "utf-8").toString("base64");
 				}
 				console.log(JSON.stringify(startAsyncReset(ctxBase64)));
@@ -3136,7 +4788,22 @@ async function main() {
 					node_process.default.exit(1);
 				}
 				const resultFile = resetResultFile(taskId);
-				await runReset(buildResetInput(parseCtxFlag(args) ?? await fetchCtxViaInnerApi()), taskId, resultFile);
+				const raw = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
+					populate: planCtxPopulate({ command: "reset" }),
+					caller,
+					traceId
+				});
+				const outcome = await runReset(buildResetInput(raw), taskId, resultFile);
+				await reportRun("reset", rc, raw, args.join(" "), Date.now() - t0, {
+					success: outcome.success,
+					result: {
+						taskId,
+						steps: outcome.steps,
+						failedStep: outcome.failedStep
+					},
+					error: outcome.success ? void 0 : new Error(outcome.error ?? "reset failed")
+				});
+				if (!outcome.success) node_process.default.exit(1);
 			} else {
 				console.error("Usage: reset --async [--ctx=<base64>] | reset --worker --task-id=<id> [--ctx=<base64>]");
 				node_process.default.exit(1);
@@ -3159,12 +4826,34 @@ async function main() {
 			}
 			const ossFileMapFlag = getFlag(args, "oss_file_map");
 			let installOssFileMap;
-			if (!ossFileMapFlag) installOssFileMap = normalizeCtx(parseCtxFlag(args) ?? await fetchCtxViaInnerApi()).install.ossFileMap;
-			await installOpenclaw(tag, resolveOssFileMap({
+			let rawForTelemetry;
+			if (!ossFileMapFlag) {
+				rawForTelemetry = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
+					populate: planCtxPopulate({ command: "install" }),
+					caller,
+					traceId
+				});
+				installOssFileMap = normalizeCtx(rawForTelemetry).install.ossFileMap;
+			}
+			const ossFileMap = resolveOssFileMap({
 				ossFileMapFlag,
 				installOssFileMap
-			}));
-			console.log(JSON.stringify({ ok: true }));
+			});
+			let success = true;
+			let error;
+			try {
+				await installOpenclaw(tag, ossFileMap);
+			} catch (e) {
+				success = false;
+				error = e;
+			}
+			if (success) console.log(JSON.stringify({ ok: true }));
+			await reportRun("install-openclaw", rc, rawForTelemetry, args.join(" "), Date.now() - t0, {
+				success,
+				result: { tag },
+				error
+			});
+			if (error) throw error;
 			break;
 		}
 		case "install-extension": {
@@ -3180,18 +4869,45 @@ async function main() {
 			const skipConfigUpdate = args.includes("--skip-config-update");
 			const ossFileMapFlag = getFlag(args, "oss_file_map");
 			let installOssFileMap;
-			if (!ossFileMapFlag) installOssFileMap = normalizeCtx(parseCtxFlag(args) ?? await fetchCtxViaInnerApi()).install.ossFileMap;
-			await installExtension(tag, resolveOssFileMap({
+			let rawForTelemetry;
+			if (!ossFileMapFlag) {
+				rawForTelemetry = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
+					populate: planCtxPopulate({ command: "install" }),
+					caller,
+					traceId
+				});
+				installOssFileMap = normalizeCtx(rawForTelemetry).install.ossFileMap;
+			}
+			const ossFileMap = resolveOssFileMap({
 				ossFileMapFlag,
 				installOssFileMap
-			}), {
-				all,
-				names: names.length > 0 ? names : void 0,
-				homeBase,
-				configPath,
-				skipConfigUpdate
 			});
-			console.log(JSON.stringify({ ok: true }));
+			let success = true;
+			let error;
+			try {
+				await installExtension(tag, ossFileMap, {
+					all,
+					names: names.length > 0 ? names : void 0,
+					homeBase,
+					configPath,
+					skipConfigUpdate
+				});
+			} catch (e) {
+				success = false;
+				error = e;
+			}
+			if (success) console.log(JSON.stringify({ ok: true }));
+			await reportRun("install-extension", rc, rawForTelemetry, args.join(" "), Date.now() - t0, {
+				success,
+				result: {
+					tag,
+					all,
+					names,
+					skipConfigUpdate
+				},
+				error
+			});
+			if (error) throw error;
 			break;
 		}
 		case "download-resource": {
@@ -3209,16 +4925,43 @@ async function main() {
 			}
 			const ossFileMapFlag = getFlag(args, "oss_file_map");
 			let installOssFileMap;
-			if (!ossFileMapFlag) installOssFileMap = normalizeCtx(parseCtxFlag(args) ?? await fetchCtxViaInnerApi()).install.ossFileMap;
-			await downloadResource(tag, resolveOssFileMap({
+			let rawForTelemetry;
+			if (!ossFileMapFlag) {
+				rawForTelemetry = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
+					populate: planCtxPopulate({ command: "install" }),
+					caller,
+					traceId
+				});
+				installOssFileMap = normalizeCtx(rawForTelemetry).install.ossFileMap;
+			}
+			const ossFileMap = resolveOssFileMap({
 				ossFileMapFlag,
 				installOssFileMap
-			}), {
-				role,
-				name,
-				dir
 			});
-			console.log(JSON.stringify({ ok: true }));
+			let success = true;
+			let error;
+			try {
+				await downloadResource(tag, ossFileMap, {
+					role,
+					name,
+					dir
+				});
+			} catch (e) {
+				success = false;
+				error = e;
+			}
+			if (success) console.log(JSON.stringify({ ok: true }));
+			await reportRun("download-resource", rc, rawForTelemetry, args.join(" "), Date.now() - t0, {
+				success,
+				result: {
+					tag,
+					role,
+					name,
+					dir
+				},
+				error
+			});
+			if (error) throw error;
 			break;
 		}
 		default:
@@ -3226,10 +4969,12 @@ async function main() {
 			node_process.default.stderr.write(formatTopLevelHelp(helpFlags.expert));
 			node_process.default.exit(1);
 	}
+	console.error(`${mode}: end totalMs=${Date.now() - t0}`);
 }
 main().catch((err) => {
 	const msg = err instanceof Error ? err.message : String(err);
-	console.error(`Error: ${msg}`);
+	console.error(`${mode ?? "<no-mode>"}: error message=${msg}`);
+	node_process.default.stderr.write(`Error: ${msg}\n`);
 	node_process.default.exit(1);
 });
 //#endregion