npm - @lark-apaas/openclaw-scripts-diagnose-cli - Versions diffs - 0.1.7-alpha.1 → 0.1.7-beta.0 - Mend

@lark-apaas/openclaw-scripts-diagnose-cli 0.1.7-alpha.1 → 0.1.7-beta.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.cjs +427 -550
package/package.json +1 -1

package/dist/index.cjs CHANGED Viewed

@@ -50,7 +50,7 @@ node_assert = __toESM(node_assert);
 * it terse and parseable.
 */
 function getVersion() {
-	return "0.1.7-alpha.1";
+	return "0.1.7-beta.0";
 }
 //#endregion
 //#region src/rule-engine/base.ts
@@ -76,6 +76,19 @@ function Rule(meta) {
 function getAllRules() {
 	return topoSort(ruleRegistry.map((Ctor) => new Ctor()));
 }
+/** Return serialisable metadata for all registered rules (topo-sorted). */
+function getRuleMetas(keys) {
+	const rules = getAllRules();
+	return (keys && keys.length > 0 ? rules.filter((r) => keys.includes(r.meta.key)) : rules).map((r) => ({
+		key: r.meta.key,
+		description: r.meta.description ?? "(no description)",
+		repairMode: r.meta.repairMode,
+		profile: r.meta.profile ?? "standard",
+		dependsOn: r.meta.dependsOn ?? [],
+		hasSkipWhen: r.meta.skipWhen !== void 0,
+		hasRepair: r.repair !== DiagnoseRule.prototype.repair
+	}));
+}
 /**
 * 判断规则在当前 profile 下是否应执行。
 * experimental profile 运行所有规则；standard 只运行 standard（或未标注）规则。
@@ -1284,6 +1297,7 @@ let OpenclawRuntimeMissingRule = class OpenclawRuntimeMissingRule extends Diagno
 };
 OpenclawRuntimeMissingRule = __decorate([Rule({
 	key: "openclaw_runtime_missing",
+	description: "检查 openclaw 二进制是否在 PATH 中可用；缺失时提示重新安装",
 	repairMode: "user-confirm"
 })], OpenclawRuntimeMissingRule);
 //#endregion
@@ -1307,6 +1321,7 @@ let ProcessStatusRule = class ProcessStatusRule extends DiagnoseRule {
 };
 ProcessStatusRule = __decorate([Rule({
 	key: "multi_process_detect",
+	description: "通过 pgrep 检测是否存在多个并发的 openclaw-gateway 进程；多进程通常表明上次会话未正常退出",
 	repairMode: "standard"
 })], ProcessStatusRule);
 //#endregion
@@ -1372,6 +1387,7 @@ let ConfigFileBackupRule = class ConfigFileBackupRule extends DiagnoseRule {
 };
 ConfigFileBackupRule = __decorate([Rule({
 	key: "config_file_recover",
+	description: "扫描 .bak* 配置备份，当主配置 openclaw.json 缺失时恢复编号最高的备份",
 	repairMode: "standard"
 })], ConfigFileBackupRule);
 //#endregion
@@ -1405,6 +1421,7 @@ let ConfigFileMissingRule = class ConfigFileMissingRule extends DiagnoseRule {
 };
 ConfigFileMissingRule = __decorate([Rule({
 	key: "config_file_missing",
+	description: "在执行恢复后检查 openclaw.json 是否存在；若仍缺失则触发全量重置",
 	dependsOn: ["config_file_recover"],
 	repairMode: "reset"
 })], ConfigFileMissingRule);
@@ -1427,6 +1444,7 @@ let ConfigSyntaxRule = class ConfigSyntaxRule extends DiagnoseRule {
 };
 ConfigSyntaxRule = __decorate([Rule({
 	key: "config_syntax_check",
+	description: "验证 openclaw.json 的 JSON5 语法；schema 校验失败或解析错误时需要 AI 辅助修复",
 	dependsOn: ["config_file_recover", "config_file_missing"],
 	repairMode: "ai"
 })], ConfigSyntaxRule);
@@ -1456,6 +1474,7 @@ let TemplateVarsUnreplacedRule = class TemplateVarsUnreplacedRule extends Diagno
 };
 TemplateVarsUnreplacedRule = __decorate([Rule({
 	key: "template_vars_unreplaced",
+	description: "检测 openclaw.json 中未替换的 $__XXX__ 占位符，并从注入的环境变量中填充",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
 	usesVars: ["templateVars"]
@@ -1604,6 +1623,7 @@ let ModelProviderRule = class ModelProviderRule extends DiagnoseRule {
 };
 ModelProviderRule = __decorate([Rule({
 	key: "model_provider",
+	description: "检查妙搭 model provider 配置项（baseUrl、apiKey、必要 headers）是否存在且格式正确；非妙搭沙箱时跳过",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
 	usesVars: ["innerAPIKey", "baseURL"],
@@ -1671,6 +1691,7 @@ let SecretProviderRule = class SecretProviderRule extends DiagnoseRule {
 };
 SecretProviderRule = _SecretProviderRule = __decorate([Rule({
 	key: "secret_provider",
+	description: "验证 miaoda-provider / miaoda-secret-provider 配置块是否存在且完整；未检测到妙搭 provider 时跳过",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
 	skipWhen: ({ hasMiaoda, deps }) => !hasMiaoda || !deps.usesMiaodaProvider && !deps.usesMiaodaSecretProvider
@@ -1735,6 +1756,7 @@ let FeishuChannelRule = class FeishuChannelRule extends DiagnoseRule {
 };
 FeishuChannelRule = __decorate([Rule({
 	key: "feishu_channel",
+	description: "确保 channels.feishu 已启用，且包含单 agent 所需的 appId 和 appSecret 字段",
 	dependsOn: ["config_syntax_check", "feishu_default_account"],
 	repairMode: "standard",
 	usesVars: ["feishuAppID", "feishuAppSecret"]
@@ -1851,6 +1873,7 @@ let FeishuDefaultAccountRule = class FeishuDefaultAccountRule extends DiagnoseRu
 };
 FeishuDefaultAccountRule = __decorate([Rule({
 	key: "feishu_default_account",
+	description: "将旧版 v1/v2 飞书 channel 配置迁移为规范的 v3 bot-<appId> 账号结构",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
 	usesVars: ["feishuAppID", "teamChatID"]
@@ -1979,6 +2002,7 @@ let GatewayRule = class GatewayRule extends DiagnoseRule {
 };
 GatewayRule = __decorate([Rule({
 	key: "gateway",
+	description: "验证 gateway 必填字段（port、mode、bind、auth、trustedProxies）是否存在且有效；修复缺失或非法值",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
 	usesVars: ["gatewayToken"]
@@ -2024,6 +2048,7 @@ let AllowedOriginsRule = class AllowedOriginsRule extends DiagnoseRule {
 };
 AllowedOriginsRule = __decorate([Rule({
 	key: "allowed_origins",
+	description: "确保所有 expectedOrigins 条目都存在于 gateway.auth.allowedOrigins 中；自动追加缺失的条目",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
 	usesVars: ["expectedOrigins"]
@@ -2103,6 +2128,7 @@ let JwtTokenRule = class JwtTokenRule extends DiagnoseRule {
 };
 JwtTokenRule = __decorate([Rule({
 	key: "jwt_token",
+	description: "验证 miaoda provider 引用的 JWT token 文件存在且未过期；非妙搭沙箱时跳过",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
 	usesVars: ["providerFilePath"],
@@ -2159,6 +2185,7 @@ let SecretsFileRule = class SecretsFileRule extends DiagnoseRule {
 };
 SecretsFileRule = __decorate([Rule({
 	key: "secrets_file",
+	description: "验证 miaoda secret-provider 引用的 secrets.json 文件存在且可解析；非妙搭或非 secret-provider 沙箱时跳过",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
 	usesVars: [
@@ -2214,6 +2241,7 @@ let CleanupInstallBackupDirsRule = class CleanupInstallBackupDirsRule extends Di
 };
 CleanupInstallBackupDirsRule = __decorate([Rule({
 	key: "cleanup_install_backup_dirs",
+	description: "清理 extensions/ 目录中升级中断遗留的 .openclaw-install-stage-* 和 .openclaw-install-backups/ 脏目录",
 	repairMode: "standard"
 })], CleanupInstallBackupDirsRule);
 //#endregion
@@ -2269,6 +2297,7 @@ let MiaodaOfficialPluginsInstallSpecUnlockRule = class MiaodaOfficialPluginsInst
 };
 MiaodaOfficialPluginsInstallSpecUnlockRule = __decorate([Rule({
 	key: "miaoda_official_plugins_install_spec_unlock",
+	description: "移除官方妙搭插件安装条目中的锁版本 npm spec，使其跟随最新 manifest 版本",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard"
 })], MiaodaOfficialPluginsInstallSpecUnlockRule);
@@ -2335,6 +2364,7 @@ let OldMiaodaPluginsCleanupRule = class OldMiaodaPluginsCleanupRule extends Diag
 };
 OldMiaodaPluginsCleanupRule = __decorate([Rule({
 	key: "old_miaoda_plugins_cleanup",
+	description: "当新版 openclaw-extension-miaoda 已存在时，清理过时插件引用（openclaw-feishu-greeting、openclaw-miaoda-keepalive 等）",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard"
 })], OldMiaodaPluginsCleanupRule);
@@ -2372,6 +2402,7 @@ let LarkPluginAllowRule = class LarkPluginAllowRule extends DiagnoseRule {
 };
 LarkPluginAllowRule = __decorate([Rule({
 	key: "lark_plugin_allow",
+	description: "当飞书插件（openclaw-lark 或旧版名）已在磁盘安装但未加入 plugins.allow 时，自动添加",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard"
 })], LarkPluginAllowRule);
@@ -2427,6 +2458,7 @@ let MiaodaPluginAllowRule = class MiaodaPluginAllowRule extends DiagnoseRule {
 };
 MiaodaPluginAllowRule = __decorate([Rule({
 	key: "miaoda_plugin_allow",
+	description: "当 openclaw-extension-miaoda 已在磁盘安装但未在 allow 列表中时，将其添加到 plugins.allow（实验性）",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard",
 	profile: "experimental"
@@ -2468,6 +2500,7 @@ let BuiltinPluginMissingRule = class BuiltinPluginMissingRule extends DiagnoseRu
 };
 BuiltinPluginMissingRule = __decorate([Rule({
 	key: "builtin_plugin_missing",
+	description: "检查所有内置扩展插件（openclaw-lark、openclaw-extension-miaoda 等）是否已在磁盘安装；缺失时提示重新安装（实验性）",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "user-confirm",
 	profile: "experimental"
@@ -2510,6 +2543,7 @@ let BuiltinPluginInstallsCleanupRule = class BuiltinPluginInstallsCleanupRule ex
 };
 BuiltinPluginInstallsCleanupRule = __decorate([Rule({
 	key: "builtin_plugin_installs_cleanup",
+	description: "在 builtin_plugin_missing 通过后，清除 plugins.installs 中磁盘目录已不存在的条目（实验性）",
 	dependsOn: ["builtin_plugin_missing"],
 	repairMode: "standard",
 	profile: "experimental"
@@ -2792,6 +2826,7 @@ let FeishuPluginStateNormalizeRule = class FeishuPluginStateNormalizeRule extend
 };
 FeishuPluginStateNormalizeRule = __decorate([Rule({
 	key: "feishu_plugin_state_normalize",
+	description: "规范化磁盘上的飞书插件状态：删除旧版插件目录、清理内置 feishu 目录，并将 openclaw.json 条目对齐到 openclaw-lark 插件",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "standard"
 })], FeishuPluginStateNormalizeRule);
@@ -3025,6 +3060,7 @@ let FeishuPluginVersionCompatRule = class FeishuPluginVersionCompatRule extends
 };
 FeishuPluginVersionCompatRule = __decorate([Rule({
 	key: "feishu_plugin_version_compat",
+	description: "检查飞书插件与 openclaw 版本兼容性；不兼容时推荐 upgrade_openclaw 或 upgrade_lark 操作",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "user-confirm",
 	usesVars: ["recommendedOpenclawTag"]
@@ -3185,6 +3221,7 @@ let FeishuAccountsConsistencyRule = class FeishuAccountsConsistencyRule extends
 };
 FeishuAccountsConsistencyRule = __decorate([Rule({
 	key: "feishu_accounts_consistency",
+	description: "检测多 agent 配置中 channels.feishu.accounts、agents.list 与 feishu bindings 之间的数量/ID 不一致（实验性）",
 	dependsOn: ["config_syntax_check"],
 	repairMode: "check-only",
 	usesVars: ["feishuAppID"],
@@ -4134,7 +4171,7 @@ async function installExtension(tag, ossFileMap, opts = {}) {
 		};
 	}));
 	for (const { pkg, tarball } of tarballs) {
-		installOne$1(pkg, tarball, homeBase);
+		installOne(pkg, tarball, homeBase);
 		console.error(`[install-extension]   ${pkg.name}: installed`);
 	}
 	if (!opts.skipConfigUpdate) updatePluginInstalls(opts.configPath ?? node_path.default.join(homeBase, "workspace/agent/openclaw.json"), targets);
@@ -4187,7 +4224,7 @@ function updatePluginInstalls(configPath, installedPkgs) {
 	moveSafe(tmpPath, configPath);
 	console.error(`[install-extension] plugins.installs updated: ${updated} entry(ies) in ${configPath}` + (skipped > 0 ? ` (${skipped} package(s) without installMetadata skipped)` : ""));
 }
-function installOne$1(pkg, tarball, homeBase) {
+function installOne(pkg, tarball, homeBase) {
 	const destDir = node_path.default.join(homeBase, pkg.installPath);
 	const stagingDir = destDir + ".new";
 	const oldDir = destDir + ".old";
@@ -4729,464 +4766,114 @@ function sleepSync(ms) {
 	Atomics.wait(arr, 0, 0, ms);
 }
 //#endregion
-//#region src/lark-cli-init.ts
-const LARK_PLUGIN_NAMES = ["openclaw-lark", "feishu-openclaw-plugin"];
-const PE_XML_TAG = "lark-cli-pe";
-const PE_PLACEHOLDER = `
-<${PE_XML_TAG}>
-**【强制要求 - 无例外】飞书所有操作必须先读 feishu-lark-cli skill。未读skill不得调用任何飞书工具，违者视为操作失误。**
-</${PE_XML_TAG}>
-`;
-function isLarkPluginInstalled(configPath) {
-	const extDir = getExtensionsDir(configPath);
-	return LARK_PLUGIN_NAMES.some((name) => {
-		try {
-			return node_fs.default.existsSync(node_path.default.join(extDir, name, "package.json"));
-		} catch {
-			return false;
-		}
-	});
-}
-function isLarkCliAvailable() {
-	try {
-		return (0, node_child_process.spawnSync)("lark-cli", ["--version"], {
-			encoding: "utf-8",
-			timeout: 5e3,
-			stdio: [
-				"ignore",
-				"pipe",
-				"ignore"
-			]
-		}).status === 0;
-	} catch {
-		return false;
-	}
-}
-function readConfig(configPath) {
-	try {
-		const raw = node_fs.default.readFileSync(configPath, "utf-8");
-		const parsed = loadJSON5().parse(raw);
-		return parsed != null && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
-	} catch {
-		return null;
-	}
-}
+//#region src/oss/resolveOssFileMap.ts
 /**
-* Resolve the feishu app secret for the given appId.
-*
-* Lookup order:
-*   1. channels.feishu.appSecret  (single-agent: feishu.appId === appId)
-*   2. channels.feishu.accounts[key].appSecret  (multi-agent: account.appId === appId)
-*
-* Value interpretation:
-*   - string  → use directly
-*   - object  → secret is managed by a provider; use `feishuAppSecret` param instead
+* Pick an OssFileMap in the order of decreasing specificity:
+*   1. `--oss_file_map=` flag — operator override (manual invocations, tests)
+*   2. `ctx.install.ossFileMap` — new shape (innerapi-driven DoctorCtx)
+*   3. `ctx.resetData.ossFileMap` — legacy shape (sandbox_console push path)
 *
-* Returns null when the secret cannot be determined.
+* Throws when none of the three yields a non-empty map. Empty maps are
+* treated as missing — an empty map is useless downstream and almost always
+* indicates a ctx wiring bug.
 */
-function resolveAppSecret(appId, config, feishuAppSecret) {
-	const feishu = getNestedMap(config, "channels", "feishu");
-	if (!feishu) return null;
-	let rawSecret;
-	if (typeof feishu.appId === "string" && feishu.appId === appId) rawSecret = feishu.appSecret;
-	else {
-		const accounts = asRecord(feishu.accounts);
-		if (accounts) for (const [, val] of Object.entries(accounts)) {
-			const account = asRecord(val);
-			if (account?.appId === appId) {
-				rawSecret = account.appSecret ?? feishu.appSecret;
-				break;
-			}
-		}
-	}
-	if (typeof rawSecret === "string" && rawSecret) return rawSecret;
-	if (rawSecret != null && typeof rawSecret === "object") return feishuAppSecret ?? null;
-	return null;
+function resolveOssFileMap(args) {
+	if (args.ossFileMapFlag) return JSON.parse(Buffer.from(args.ossFileMapFlag, "base64").toString("utf-8"));
+	if (args.installOssFileMap && Object.keys(args.installOssFileMap).length > 0) return args.installOssFileMap;
+	if (args.resetDataOssFileMap && Object.keys(args.resetDataOssFileMap).length > 0) return args.resetDataOssFileMap;
+	throw new Error("ossFileMap missing: provide --oss_file_map flag, ctx.install.ossFileMap, or resetData.ossFileMap");
 }
-/**
-* Resolve the agents.md path for the given appId from the openclaw config.
-*
-* Case 1: appId matches channels.feishu.appId (single-agent path)
-*   → WORKSPACE_DIR/AGENTS.md
-*
-* Case 2: appId found in channels.feishu.accounts (multi-agent path)
-*   → find account key where account.appId === appId
-*   → find binding where match.channel=feishu && match.accountId=that key
-*   → if agentId === 'main'  → WORKSPACE_DIR/agents.md
-*   → else find agent in agents.list by id → agent.workspace/agents.md
-*
-* Returns null when the path cannot be determined.
-*/
-function resolveAgentsMdPath(appId, config) {
-	const feishu = getNestedMap(config, "channels", "feishu");
-	if (!feishu) {
-		console.error("resolveAgentsMdPath: channels.feishu not found");
-		return null;
-	}
-	if (typeof feishu.appId === "string" && feishu.appId === appId) {
-		console.error(`resolveAgentsMdPath: case=single-agent feishu.appId=${feishu.appId}`);
-		return node_path.default.join(WORKSPACE_DIR, "workspace", "AGENTS.md");
-	}
-	const accounts = asRecord(feishu.accounts);
-	if (!accounts) {
-		console.error("resolveAgentsMdPath: feishu.accounts not found");
-		return null;
-	}
-	let accountId;
-	for (const [key, val] of Object.entries(accounts)) if (asRecord(val)?.appId === appId) {
-		accountId = key;
-		break;
-	}
-	if (!accountId) {
-		console.error(`resolveAgentsMdPath: no account found with appId=${appId} in feishu.accounts keys=[${Object.keys(accounts).join(",")}]`);
-		return null;
+//#endregion
+//#region src/innerapi/client.ts
+var import_dist = (/* @__PURE__ */ __commonJSMin(((exports, module) => {
+	var __defProp = Object.defineProperty;
+	var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+	var __getOwnPropNames = Object.getOwnPropertyNames;
+	var __hasOwnProp = Object.prototype.hasOwnProperty;
+	var __export = (target, all) => {
+		for (var name in all) __defProp(target, name, {
+			get: all[name],
+			enumerable: true
+		});
+	};
+	var __copyProps = (to, from, except, desc) => {
+		if (from && typeof from === "object" || typeof from === "function") {
+			for (let key of __getOwnPropNames(from)) if (!__hasOwnProp.call(to, key) && key !== except) __defProp(to, key, {
+				get: () => from[key],
+				enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+			});
+		}
+		return to;
+	};
+	var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+	var index_exports = {};
+	__export(index_exports, {
+		DEFAULT_CLOCK_TOLERANCE_SEC: () => DEFAULT_CLOCK_TOLERANCE_SEC,
+		DEFAULT_JWT_EXPIRE_TIME_MS: () => DEFAULT_JWT_EXPIRE_TIME_MS,
+		HttpClient: () => HttpClient,
+		HttpError: () => HttpError,
+		generateJWTToken: () => generateJWTToken,
+		parseJWTTokenWithVerify: () => parseJWTTokenWithVerify,
+		registerPlatformPlugin: () => registerPlatformPlugin,
+		resolvePlatformBaseURL: () => resolvePlatformBaseURL
+	});
+	module.exports = __toCommonJS(index_exports);
+	var import_crypto = require("crypto");
+	var DEFAULT_JWT_EXPIRE_TIME_MS = 1800 * 1e3;
+	var DEFAULT_CLOCK_TOLERANCE_SEC = 60;
+	var JWT_HEADER = {
+		alg: "HS256",
+		typ: "JWT"
+	};
+	function generateJWTToken(customClaims, config) {
+		const nowSeconds = Math.floor(Date.now() / 1e3);
+		const payload = {
+			...customClaims,
+			iss: customClaims.access_key,
+			iat: nowSeconds,
+			nbf: nowSeconds,
+			exp: nowSeconds + Math.floor(config.expireTimeMs / 1e3),
+			jti: (0, import_crypto.randomUUID)()
+		};
+		const encodedHeader = base64UrlEncode(JSON.stringify(JWT_HEADER));
+		const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+		return `${encodedHeader}.${encodedPayload}.${sign(`${encodedHeader}.${encodedPayload}`, config.secretKey)}`;
 	}
-	console.error(`resolveAgentsMdPath: found accountId=${accountId}`);
-	const bindings = Array.isArray(config.bindings) ? config.bindings : [];
-	let agentId;
-	for (const b of bindings) {
-		const binding = asRecord(b);
-		if (!binding) continue;
-		const match = asRecord(binding.match);
-		if (match?.channel === "feishu" && match?.accountId === accountId) {
-			if (typeof binding.agentId === "string") {
-				agentId = binding.agentId;
-				break;
+	function parseJWTTokenWithVerify(tokenString, config, options) {
+		const segments = tokenString.split(".");
+		if (segments.length !== 3) throw new Error("invalid JWT token format");
+		const [encodedHeader, encodedPayload, signature] = segments;
+		if (JSON.parse(base64UrlDecode(encodedHeader)).alg !== "HS256") throw new Error("unsupported JWT alg");
+		const expectedSignature = sign(`${encodedHeader}.${encodedPayload}`, config.secretKey);
+		const expectedBuffer = Buffer.from(expectedSignature);
+		const signatureBuffer = Buffer.from(signature);
+		if (expectedBuffer.length !== signatureBuffer.length || !(0, import_crypto.timingSafeEqual)(expectedBuffer, signatureBuffer)) throw new Error("JWT signature verification failed");
+		const payload = JSON.parse(base64UrlDecode(encodedPayload));
+		if (!options?.skipExpiration) {
+			const clockTolerance = options?.clockTolerance ?? DEFAULT_CLOCK_TOLERANCE_SEC;
+			const now = Math.floor(Date.now() / 1e3);
+			if (payload.exp !== void 0) {
+				if (payload.exp + clockTolerance < now) throw new Error(`JWT token expired at ${(/* @__PURE__ */ new Date(payload.exp * 1e3)).toISOString()}`);
+			}
+			if (payload.nbf !== void 0) {
+				if (payload.nbf - clockTolerance > now) throw new Error(`JWT token not yet valid, will be valid at ${(/* @__PURE__ */ new Date(payload.nbf * 1e3)).toISOString()}`);
+			}
+			if (payload.iat !== void 0) {
+				if (payload.iat - clockTolerance > now) throw new Error(`JWT token issued in the future at ${(/* @__PURE__ */ new Date(payload.iat * 1e3)).toISOString()}`);
 			}
 		}
+		return payload;
 	}
-	if (!agentId) {
-		console.error(`resolveAgentsMdPath: no binding found for accountId=${accountId} in bindings(count=${bindings.length})`);
-		return null;
-	}
-	console.error(`resolveAgentsMdPath: found agentId=${agentId}`);
-	if (agentId === "main") {
-		console.error("resolveAgentsMdPath: case=multi-agent-main");
-		return node_path.default.join(WORKSPACE_DIR, "workspace", "AGENTS.md");
-	}
-	const agentsObj = asRecord(config.agents);
-	const list = Array.isArray(agentsObj?.list) ? agentsObj.list : [];
-	for (const a of list) {
-		const agent = asRecord(a);
-		if (agent?.id === agentId) {
-			const ws = typeof agent.workspace === "string" ? agent.workspace : node_path.default.join(WORKSPACE_DIR, "workspace");
-			console.error(`resolveAgentsMdPath: case=multi-agent-custom agentId=${agentId} workspace=${ws}`);
-			return node_path.default.join(ws, "AGENTS.md");
-		}
+	function sign(input, secret) {
+		return (0, import_crypto.createHmac)("sha256", secret).update(input).digest("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
 	}
-	console.error(`resolveAgentsMdPath: agentId=${agentId} not found in agents.list(count=${list.length})`);
-	return null;
-}
-function appendPeToAgentsMd(agentsMdPath) {
-	const dir = node_path.default.dirname(agentsMdPath);
-	if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
-	const existing = node_fs.default.existsSync(agentsMdPath) ? node_fs.default.readFileSync(agentsMdPath, "utf-8") : "";
-	if (existing.includes(`<${PE_XML_TAG}>`)) {
-		console.error(`lark-cli-init: <${PE_XML_TAG}> already present in ${agentsMdPath}, skipping`);
-		return;
+	function base64UrlEncode(input) {
+		return Buffer.from(input).toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
 	}
-	const sep = existing.length > 0 && !existing.endsWith("\n") ? "\n" : "";
-	node_fs.default.appendFileSync(agentsMdPath, `${sep}${PE_PLACEHOLDER}`, "utf-8");
-	console.error(`lark-cli-init: appended PE placeholder to ${agentsMdPath}`);
-}
-/**
-* Collect every Feishu bot appId declared in the openclaw config.
-* Covers both single-agent (channels.feishu.appId) and multi-agent
-* (channels.feishu.accounts[*].appId) layouts. Returns a deduplicated list.
-*/
-function collectFeishuAppIds(configPath) {
-	const config = readConfig(configPath ?? CONFIG_PATH);
-	if (!config) return [];
-	const feishu = getNestedMap(config, "channels", "feishu");
-	if (!feishu) return [];
-	const appIds = /* @__PURE__ */ new Set();
-	if (typeof feishu.appId === "string" && feishu.appId) appIds.add(feishu.appId);
-	const accounts = asRecord(feishu.accounts);
-	if (accounts) for (const val of Object.values(accounts)) {
-		const account = asRecord(val);
-		if (typeof account?.appId === "string" && account.appId) appIds.add(account.appId);
-	}
-	return [...appIds];
-}
-function runLarkCliInit(opts) {
-	const configPath = opts.configPath ?? CONFIG_PATH;
-	if (!isLarkPluginInstalled(configPath)) {
-		console.error("lark-cli-init: skipping — openclaw-lark plugin not installed");
-		return {
-			ok: true,
-			skipped: true,
-			skipReason: "openclaw-lark plugin not installed"
-		};
-	}
-	if (!isLarkCliAvailable()) {
-		console.error("lark-cli-init: skipping — lark-cli command not found");
-		return {
-			ok: true,
-			skipped: true,
-			skipReason: "lark-cli command not found"
-		};
-	}
-	const config = readConfig(configPath);
-	if (!config) return {
-		ok: false,
-		error: `could not read config at ${configPath}`
-	};
-	const agentsMdPath = resolveAgentsMdPath(opts.appId, config);
-	console.error(`lark-cli-init: resolved agents.md path=${agentsMdPath ?? "(null)"}`);
-	if (!agentsMdPath) return {
-		ok: false,
-		error: `could not resolve agents.md path for appId=${opts.appId}`
-	};
-	const appSecret = resolveAppSecret(opts.appId, config, opts.feishuAppSecret);
-	if (!appSecret) return {
-		ok: false,
-		error: `could not resolve appSecret for appId=${opts.appId}`
-	};
-	console.error(`lark-cli-init: running lark-cli config init --name ${opts.appId} --app-id ${opts.appId} --brand feishu --app-secret-stdin --force-init`);
-	const initRes = (0, node_child_process.spawnSync)("lark-cli", [
-		"config",
-		"init",
-		"--name",
-		opts.appId,
-		"--app-id",
-		opts.appId,
-		"--brand",
-		"feishu",
-		"--app-secret-stdin",
-		"--force-init"
-	], {
-		stdio: [
-			"pipe",
-			"pipe",
-			"pipe"
-		],
-		encoding: "utf-8",
-		input: appSecret
-	});
-	const configInitStdout = initRes.stdout?.trim() || void 0;
-	const configInitStderr = initRes.stderr?.trim() || void 0;
-	if (configInitStdout) console.error(`lark-cli config init stdout: ${configInitStdout}`);
-	if (configInitStderr) console.error(`lark-cli config init stderr: ${configInitStderr}`);
-	if (initRes.error) return {
-		ok: false,
-		configInitStdout,
-		configInitStderr,
-		error: `lark-cli config init spawn error: ${initRes.error.message}`
-	};
-	if (initRes.status !== 0) return {
-		ok: false,
-		configInitExitCode: initRes.status ?? void 0,
-		configInitStdout,
-		configInitStderr,
-		error: `lark-cli config init exited with code ${initRes.status}`
-	};
-	appendPeToAgentsMd(agentsMdPath);
-	return {
-		ok: true,
-		configInitExitCode: 0,
-		agentsMdPath
-	};
-}
-const LARK_CLI_NAME = "lark-cli";
-async function installClis(tag, ossFileMap, opts) {
-	const homeBase = opts.homeBase ?? "/home/gem";
-	if (opts.names.length === 0) throw new Error("install-clis: must provide at least one --cli=<name>");
-	const manifest = await fetchManifest(ossFileMap, tag);
-	console.error(`[install-clis] manifest=${JSON.stringify(manifest)}`);
-	const allClis = manifest.packages.filter((p) => p.role === "cli" && p.name !== "openclaw");
-	const wanted = new Set(opts.names);
-	const targets = allClis.filter((p) => wanted.has(p.name) || p.packageName != null && wanted.has(p.packageName));
-	const foundKeys = /* @__PURE__ */ new Set();
-	for (const t of targets) {
-		foundKeys.add(t.name);
-		if (t.packageName) foundKeys.add(t.packageName);
-	}
-	const missing = opts.names.filter((n) => !foundKeys.has(n));
-	if (missing.length > 0) throw new Error(`install-clis: not found in manifest: ${missing.join(", ")}`);
-	console.error(`[install-clis] tag=${tag} targets=${targets.length}`);
-	const t0 = Date.now();
-	const tarballs = await Promise.all(targets.map(async (p) => {
-		const tb = await downloadWithCache(p, ossFileMap, opts);
-		console.error(`[install-clis]   ${p.name}: downloaded`);
-		return {
-			pkg: p,
-			tarball: tb
-		};
-	}));
-	for (const { pkg, tarball } of tarballs) {
-		installOne(pkg, tarball, homeBase, opts.tmpRoot);
-		console.error(`[install-clis]   ${pkg.name}: installed`);
-	}
-	if (targets.some((p) => p.name === LARK_CLI_NAME)) {
-		const appIds = collectFeishuAppIds();
-		console.error(`[install-clis] lark-cli installed — running lark-cli-init for ${appIds.length} appId(s): [${appIds.join(", ")}]`);
-		for (const appId of appIds) {
-			console.error(`[install-clis] lark-cli-init: appId=${appId}`);
-			const result = runLarkCliInit({
-				appId,
-				feishuAppSecret: opts.feishuAppSecret
-			});
-			console.error(`[install-clis] lark-cli-init: appId=${appId} ok=${result.ok}` + (result.skipped ? ` skipped=true reason=${result.skipReason}` : "") + (result.error ? ` error=${result.error}` : ""));
-		}
-	}
-	console.error(`[install-clis] done ${targets.length}/${targets.length} in ${Date.now() - t0}ms`);
-}
-function installOne(pkg, tarball, homeBase, tmpRoot) {
-	const targetDir = node_path.default.join(homeBase, pkg.installPath);
-	const bakDir = targetDir + ".bak";
-	const newDir = targetDir + ".new";
-	node_fs.default.mkdirSync(node_path.default.dirname(targetDir), { recursive: true });
-	if (node_fs.default.existsSync(newDir)) node_fs.default.rmSync(newDir, {
-		recursive: true,
-		force: true
-	});
-	if (node_fs.default.existsSync(bakDir)) node_fs.default.rmSync(bakDir, {
-		recursive: true,
-		force: true
-	});
-	const tmpStage = node_fs.default.mkdtempSync(node_path.default.join(tmpRoot ?? node_os.default.tmpdir(), "cli-install-"));
-	try {
-		extractTarballTolerant(tarball, tmpStage, { stripComponents: 1 });
-		if (!node_fs.default.existsSync(node_path.default.join(tmpStage, "package.json"))) throw new Error(`cli tarball missing package.json: ${pkg.name}`);
-		moveSafe(tmpStage, newDir);
-		const hadExisting = node_fs.default.existsSync(targetDir);
-		try {
-			if (hadExisting) moveSafe(targetDir, bakDir);
-			moveSafe(newDir, targetDir);
-		} catch (e) {
-			if (hadExisting && !node_fs.default.existsSync(targetDir) && node_fs.default.existsSync(bakDir)) try {
-				moveSafe(bakDir, targetDir);
-			} catch {}
-			try {
-				node_fs.default.rmSync(newDir, {
-					recursive: true,
-					force: true
-				});
-			} catch {}
-			throw e;
-		}
-		if (hadExisting && node_fs.default.existsSync(bakDir)) node_fs.default.rmSync(bakDir, {
-			recursive: true,
-			force: true
-		});
-	} finally {
-		if (node_fs.default.existsSync(tmpStage)) try {
-			node_fs.default.rmSync(tmpStage, {
-				recursive: true,
-				force: true
-			});
-		} catch {}
-	}
-}
-//#endregion
-//#region src/oss/resolveOssFileMap.ts
-/**
-* Pick an OssFileMap in the order of decreasing specificity:
-*   1. `--oss_file_map=` flag — operator override (manual invocations, tests)
-*   2. `ctx.install.ossFileMap` — new shape (innerapi-driven DoctorCtx)
-*   3. `ctx.resetData.ossFileMap` — legacy shape (sandbox_console push path)
-*
-* Throws when none of the three yields a non-empty map. Empty maps are
-* treated as missing — an empty map is useless downstream and almost always
-* indicates a ctx wiring bug.
-*/
-function resolveOssFileMap(args) {
-	if (args.ossFileMapFlag) return JSON.parse(Buffer.from(args.ossFileMapFlag, "base64").toString("utf-8"));
-	if (args.installOssFileMap && Object.keys(args.installOssFileMap).length > 0) return args.installOssFileMap;
-	if (args.resetDataOssFileMap && Object.keys(args.resetDataOssFileMap).length > 0) return args.resetDataOssFileMap;
-	throw new Error("ossFileMap missing: provide --oss_file_map flag, ctx.install.ossFileMap, or resetData.ossFileMap");
-}
-//#endregion
-//#region src/innerapi/client.ts
-var import_dist = (/* @__PURE__ */ __commonJSMin(((exports, module) => {
-	var __defProp = Object.defineProperty;
-	var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-	var __getOwnPropNames = Object.getOwnPropertyNames;
-	var __hasOwnProp = Object.prototype.hasOwnProperty;
-	var __export = (target, all) => {
-		for (var name in all) __defProp(target, name, {
-			get: all[name],
-			enumerable: true
-		});
-	};
-	var __copyProps = (to, from, except, desc) => {
-		if (from && typeof from === "object" || typeof from === "function") {
-			for (let key of __getOwnPropNames(from)) if (!__hasOwnProp.call(to, key) && key !== except) __defProp(to, key, {
-				get: () => from[key],
-				enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
-			});
-		}
-		return to;
-	};
-	var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-	var index_exports = {};
-	__export(index_exports, {
-		DEFAULT_CLOCK_TOLERANCE_SEC: () => DEFAULT_CLOCK_TOLERANCE_SEC,
-		DEFAULT_JWT_EXPIRE_TIME_MS: () => DEFAULT_JWT_EXPIRE_TIME_MS,
-		HttpClient: () => HttpClient,
-		HttpError: () => HttpError,
-		generateJWTToken: () => generateJWTToken,
-		parseJWTTokenWithVerify: () => parseJWTTokenWithVerify,
-		registerPlatformPlugin: () => registerPlatformPlugin,
-		resolvePlatformBaseURL: () => resolvePlatformBaseURL
-	});
-	module.exports = __toCommonJS(index_exports);
-	var import_crypto = require("crypto");
-	var DEFAULT_JWT_EXPIRE_TIME_MS = 1800 * 1e3;
-	var DEFAULT_CLOCK_TOLERANCE_SEC = 60;
-	var JWT_HEADER = {
-		alg: "HS256",
-		typ: "JWT"
-	};
-	function generateJWTToken(customClaims, config) {
-		const nowSeconds = Math.floor(Date.now() / 1e3);
-		const payload = {
-			...customClaims,
-			iss: customClaims.access_key,
-			iat: nowSeconds,
-			nbf: nowSeconds,
-			exp: nowSeconds + Math.floor(config.expireTimeMs / 1e3),
-			jti: (0, import_crypto.randomUUID)()
-		};
-		const encodedHeader = base64UrlEncode(JSON.stringify(JWT_HEADER));
-		const encodedPayload = base64UrlEncode(JSON.stringify(payload));
-		return `${encodedHeader}.${encodedPayload}.${sign(`${encodedHeader}.${encodedPayload}`, config.secretKey)}`;
-	}
-	function parseJWTTokenWithVerify(tokenString, config, options) {
-		const segments = tokenString.split(".");
-		if (segments.length !== 3) throw new Error("invalid JWT token format");
-		const [encodedHeader, encodedPayload, signature] = segments;
-		if (JSON.parse(base64UrlDecode(encodedHeader)).alg !== "HS256") throw new Error("unsupported JWT alg");
-		const expectedSignature = sign(`${encodedHeader}.${encodedPayload}`, config.secretKey);
-		const expectedBuffer = Buffer.from(expectedSignature);
-		const signatureBuffer = Buffer.from(signature);
-		if (expectedBuffer.length !== signatureBuffer.length || !(0, import_crypto.timingSafeEqual)(expectedBuffer, signatureBuffer)) throw new Error("JWT signature verification failed");
-		const payload = JSON.parse(base64UrlDecode(encodedPayload));
-		if (!options?.skipExpiration) {
-			const clockTolerance = options?.clockTolerance ?? DEFAULT_CLOCK_TOLERANCE_SEC;
-			const now = Math.floor(Date.now() / 1e3);
-			if (payload.exp !== void 0) {
-				if (payload.exp + clockTolerance < now) throw new Error(`JWT token expired at ${(/* @__PURE__ */ new Date(payload.exp * 1e3)).toISOString()}`);
-			}
-			if (payload.nbf !== void 0) {
-				if (payload.nbf - clockTolerance > now) throw new Error(`JWT token not yet valid, will be valid at ${(/* @__PURE__ */ new Date(payload.nbf * 1e3)).toISOString()}`);
-			}
-			if (payload.iat !== void 0) {
-				if (payload.iat - clockTolerance > now) throw new Error(`JWT token issued in the future at ${(/* @__PURE__ */ new Date(payload.iat * 1e3)).toISOString()}`);
-			}
-		}
-		return payload;
-	}
-	function sign(input, secret) {
-		return (0, import_crypto.createHmac)("sha256", secret).update(input).digest("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-	}
-	function base64UrlEncode(input) {
-		return Buffer.from(input).toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-	}
-	function base64UrlDecode(input) {
-		const padLength = (4 - (input.length % 4 || 4)) % 4;
-		const padded = `${input}${"=".repeat(padLength)}`.replace(/-/g, "+").replace(/_/g, "/");
-		return Buffer.from(padded, "base64").toString("utf8");
+	function base64UrlDecode(input) {
+		const padLength = (4 - (input.length % 4 || 4)) % 4;
+		const padded = `${input}${"=".repeat(padLength)}`.replace(/-/g, "+").replace(/_/g, "/");
+		return Buffer.from(padded, "base64").toString("utf8");
 	}
 	var JWTTokenManager = class {
 		cache = /* @__PURE__ */ new Map();
@@ -8180,14 +7867,254 @@ function finalize(results, aborted) {
 	};
 }
 //#endregion
-//#region src/innerapi/reportCliRun.ts
-/**
-* CLI-side client for studio_server's `openclaw.report_cli_run` inner
-* API — the unified telemetry sink for every CLI command.
-*
-* Best-effort: gated by `DoctorCtx.telemetry.reportCliRun` returned by
-* `get_doctor_ctx`. When the server hasn't rolled out the API yet the
-* flag is absent and the CLI never invokes this. When enabled, the CLI
+//#region src/lark-cli-init.ts
+const LARK_PLUGIN_NAMES = ["openclaw-lark", "feishu-openclaw-plugin"];
+const PE_XML_TAG = "lark-cli-pe";
+const PE_PLACEHOLDER = `
+<${PE_XML_TAG}>
+**【强制要求 - 无例外】飞书所有操作必须先读 feishu-lark-cli skill。未读skill不得调用任何飞书工具，违者视为操作失误。**
+</${PE_XML_TAG}>
+`;
+function isLarkPluginInstalled(configPath) {
+	const extDir = getExtensionsDir(configPath);
+	return LARK_PLUGIN_NAMES.some((name) => {
+		try {
+			return node_fs.default.existsSync(node_path.default.join(extDir, name, "package.json"));
+		} catch {
+			return false;
+		}
+	});
+}
+function isLarkCliAvailable() {
+	try {
+		return (0, node_child_process.spawnSync)("lark-cli", ["--version"], {
+			encoding: "utf-8",
+			timeout: 5e3,
+			stdio: [
+				"ignore",
+				"pipe",
+				"ignore"
+			]
+		}).status === 0;
+	} catch {
+		return false;
+	}
+}
+function readConfig(configPath) {
+	try {
+		const raw = node_fs.default.readFileSync(configPath, "utf-8");
+		const parsed = loadJSON5().parse(raw);
+		return parsed != null && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+	} catch {
+		return null;
+	}
+}
+/**
+* Resolve the feishu app secret for the given appId.
+*
+* Lookup order:
+*   1. channels.feishu.appSecret  (single-agent: feishu.appId === appId)
+*   2. channels.feishu.accounts[key].appSecret  (multi-agent: account.appId === appId)
+*
+* Value interpretation:
+*   - string  → use directly
+*   - object  → secret is managed by a provider; use `feishuAppSecret` param instead
+*
+* Returns null when the secret cannot be determined.
+*/
+function resolveAppSecret(appId, config, feishuAppSecret) {
+	const feishu = getNestedMap(config, "channels", "feishu");
+	if (!feishu) return null;
+	let rawSecret;
+	if (typeof feishu.appId === "string" && feishu.appId === appId) rawSecret = feishu.appSecret;
+	else {
+		const accounts = asRecord(feishu.accounts);
+		if (accounts) for (const [, val] of Object.entries(accounts)) {
+			const account = asRecord(val);
+			if (account?.appId === appId) {
+				rawSecret = account.appSecret ?? feishu.appSecret;
+				break;
+			}
+		}
+	}
+	if (typeof rawSecret === "string" && rawSecret) return rawSecret;
+	if (rawSecret != null && typeof rawSecret === "object") return feishuAppSecret ?? null;
+	return null;
+}
+/**
+* Resolve the agents.md path for the given appId from the openclaw config.
+*
+* Case 1: appId matches channels.feishu.appId (single-agent path)
+*   → WORKSPACE_DIR/AGENTS.md
+*
+* Case 2: appId found in channels.feishu.accounts (multi-agent path)
+*   → find account key where account.appId === appId
+*   → find binding where match.channel=feishu && match.accountId=that key
+*   → if agentId === 'main'  → WORKSPACE_DIR/agents.md
+*   → else find agent in agents.list by id → agent.workspace/agents.md
+*
+* Returns null when the path cannot be determined.
+*/
+function resolveAgentsMdPath(appId, config) {
+	const feishu = getNestedMap(config, "channels", "feishu");
+	if (!feishu) {
+		console.error("resolveAgentsMdPath: channels.feishu not found");
+		return null;
+	}
+	if (typeof feishu.appId === "string" && feishu.appId === appId) {
+		console.error(`resolveAgentsMdPath: case=single-agent feishu.appId=${feishu.appId}`);
+		return node_path.default.join(WORKSPACE_DIR, "workspace", "AGENTS.md");
+	}
+	const accounts = asRecord(feishu.accounts);
+	if (!accounts) {
+		console.error("resolveAgentsMdPath: feishu.accounts not found");
+		return null;
+	}
+	let accountId;
+	for (const [key, val] of Object.entries(accounts)) if (asRecord(val)?.appId === appId) {
+		accountId = key;
+		break;
+	}
+	if (!accountId) {
+		console.error(`resolveAgentsMdPath: no account found with appId=${appId} in feishu.accounts keys=[${Object.keys(accounts).join(",")}]`);
+		return null;
+	}
+	console.error(`resolveAgentsMdPath: found accountId=${accountId}`);
+	const bindings = Array.isArray(config.bindings) ? config.bindings : [];
+	let agentId;
+	for (const b of bindings) {
+		const binding = asRecord(b);
+		if (!binding) continue;
+		const match = asRecord(binding.match);
+		if (match?.channel === "feishu" && match?.accountId === accountId) {
+			if (typeof binding.agentId === "string") {
+				agentId = binding.agentId;
+				break;
+			}
+		}
+	}
+	if (!agentId) {
+		console.error(`resolveAgentsMdPath: no binding found for accountId=${accountId} in bindings(count=${bindings.length})`);
+		return null;
+	}
+	console.error(`resolveAgentsMdPath: found agentId=${agentId}`);
+	if (agentId === "main") {
+		console.error("resolveAgentsMdPath: case=multi-agent-main");
+		return node_path.default.join(WORKSPACE_DIR, "workspace", "AGENTS.md");
+	}
+	const agentsObj = asRecord(config.agents);
+	const list = Array.isArray(agentsObj?.list) ? agentsObj.list : [];
+	for (const a of list) {
+		const agent = asRecord(a);
+		if (agent?.id === agentId) {
+			const ws = typeof agent.workspace === "string" ? agent.workspace : node_path.default.join(WORKSPACE_DIR, "workspace");
+			console.error(`resolveAgentsMdPath: case=multi-agent-custom agentId=${agentId} workspace=${ws}`);
+			return node_path.default.join(ws, "AGENTS.md");
+		}
+	}
+	console.error(`resolveAgentsMdPath: agentId=${agentId} not found in agents.list(count=${list.length})`);
+	return null;
+}
+function appendPeToAgentsMd(agentsMdPath) {
+	const dir = node_path.default.dirname(agentsMdPath);
+	if (!node_fs.default.existsSync(dir)) node_fs.default.mkdirSync(dir, { recursive: true });
+	const existing = node_fs.default.existsSync(agentsMdPath) ? node_fs.default.readFileSync(agentsMdPath, "utf-8") : "";
+	if (existing.includes(`<${PE_XML_TAG}>`)) {
+		console.error(`lark-cli-init: <${PE_XML_TAG}> already present in ${agentsMdPath}, skipping`);
+		return;
+	}
+	const sep = existing.length > 0 && !existing.endsWith("\n") ? "\n" : "";
+	node_fs.default.appendFileSync(agentsMdPath, `${sep}${PE_PLACEHOLDER}`, "utf-8");
+	console.error(`lark-cli-init: appended PE placeholder to ${agentsMdPath}`);
+}
+function runLarkCliInit(opts) {
+	const configPath = opts.configPath ?? CONFIG_PATH;
+	if (!isLarkPluginInstalled(configPath)) {
+		console.error("lark-cli-init: skipping — openclaw-lark plugin not installed");
+		return {
+			ok: true,
+			skipped: true,
+			skipReason: "openclaw-lark plugin not installed"
+		};
+	}
+	if (!isLarkCliAvailable()) {
+		console.error("lark-cli-init: skipping — lark-cli command not found");
+		return {
+			ok: true,
+			skipped: true,
+			skipReason: "lark-cli command not found"
+		};
+	}
+	const config = readConfig(configPath);
+	if (!config) return {
+		ok: false,
+		error: `could not read config at ${configPath}`
+	};
+	const agentsMdPath = resolveAgentsMdPath(opts.appId, config);
+	console.error(`lark-cli-init: resolved agents.md path=${agentsMdPath ?? "(null)"}`);
+	if (!agentsMdPath) return {
+		ok: false,
+		error: `could not resolve agents.md path for appId=${opts.appId}`
+	};
+	const appSecret = resolveAppSecret(opts.appId, config, opts.feishuAppSecret);
+	if (!appSecret) return {
+		ok: false,
+		error: `could not resolve appSecret for appId=${opts.appId}`
+	};
+	console.error(`lark-cli-init: running lark-cli config init --name ${opts.appId} --app-id ${opts.appId} --brand feishu --app-secret-stdin --force-init`);
+	const initRes = (0, node_child_process.spawnSync)("lark-cli", [
+		"config",
+		"init",
+		"--name",
+		opts.appId,
+		"--app-id",
+		opts.appId,
+		"--brand",
+		"feishu",
+		"--app-secret-stdin",
+		"--force-init"
+	], {
+		stdio: [
+			"pipe",
+			"pipe",
+			"pipe"
+		],
+		encoding: "utf-8",
+		input: appSecret
+	});
+	const configInitStdout = initRes.stdout?.trim() || void 0;
+	const configInitStderr = initRes.stderr?.trim() || void 0;
+	if (configInitStdout) console.error(`lark-cli config init stdout: ${configInitStdout}`);
+	if (configInitStderr) console.error(`lark-cli config init stderr: ${configInitStderr}`);
+	if (initRes.error) return {
+		ok: false,
+		configInitStdout,
+		configInitStderr,
+		error: `lark-cli config init spawn error: ${initRes.error.message}`
+	};
+	if (initRes.status !== 0) return {
+		ok: false,
+		configInitExitCode: initRes.status ?? void 0,
+		configInitStdout,
+		configInitStderr,
+		error: `lark-cli config init exited with code ${initRes.status}`
+	};
+	appendPeToAgentsMd(agentsMdPath);
+	return {
+		ok: true,
+		configInitExitCode: 0,
+		agentsMdPath
+	};
+}
+//#endregion
+//#region src/innerapi/reportCliRun.ts
+/**
+* CLI-side client for studio_server's `openclaw.report_cli_run` inner
+* API — the unified telemetry sink for every CLI command.
+*
+* Best-effort: gated by `DoctorCtx.telemetry.reportCliRun` returned by
+* `get_doctor_ctx`. When the server hasn't rolled out the API yet the
+* flag is absent and the CLI never invokes this. When enabled, the CLI
 * fires-and-forgets one report per command after work is done.
 *
 * Failures here MUST NOT change exit code or otherwise affect the
@@ -8259,7 +8186,7 @@ async function reportCliRun(opts) {
 //#region src/help.ts
 const BIN = "mclaw-diagnose";
 function versionBanner() {
-	return `v0.1.7-alpha.1`;
+	return `v0.1.7-beta.0`;
 }
 const COMMANDS = [
 	{
@@ -8477,37 +8404,6 @@ OPTIONS
   --skip-config-update Leave plugins.installs in openclaw.json untouched.
   --ctx=<base64>       Opaque ctx; see install-openclaw for semantics.
   --oss_file_map=...   Pre-built OSS URL map (base64 JSON).
-`
-	},
-	{
-		name: "install-clis",
-		hidden: true,
-		summary: "Install CLI package(s) (role=cli) from the manifest",
-		help: `USAGE
-  ${BIN} install-clis <tag> --cli=<name>... [options]
-DESCRIPTION
-  Downloads + installs one or more CLI tarballs (role=cli in the manifest)
-  into <home_base>/<pkg.installPath>. Currently the only CLI in this
-  category is lark-cli (@larksuite/cli); openclaw itself is handled by the
-  dedicated install-openclaw command.
-  Each package is first extracted into a temporary directory (os.tmpdir(),
-  typically tmpfs) to avoid overlayfs race conditions, then ferried to a
-  sibling .new directory and atomically swapped into the final target path.
-ARGUMENTS
-  <tag>                Openclaw version tag, e.g. 2026.4.11.
-OPTIONS
-  --cli=<name>         CLI package to install by short name or scoped
-                       packageName (repeatable, at least one required).
-  --home_base=<dir>    Override the /home/gem base (tests).
-  --ctx=<base64>       Opaque ctx; ossFileMap is extracted from it.
-  --oss_file_map=...   Pre-built OSS URL map (base64 JSON); skips innerapi.
-EXAMPLES
-  ${BIN} install-clis 2026.4.11 --cli=lark-cli
 `
 	},
 	{
@@ -8557,6 +8453,39 @@ OPTIONS
 EXIT CODES
   0    Success or skipped (prerequisites not met).
   1    Secret/path unresolvable, lark-cli failed, or config unreadable.
+`
+	},
+	{
+		name: "rules",
+		hidden: true,
+		summary: "List all registered rule metadata as JSON",
+		help: `USAGE
+  ${BIN} rules [--rule=<key>]...
+DESCRIPTION
+  Prints a JSON array of serialisable metadata for every registered rule,
+  topologically sorted by dependsOn. Useful for tooling, dashboards, and
+  analysis scripts that need a stable machine-readable view of the rule
+  registry.
+  Each element has the shape:
+    {
+      "key": "gateway",
+      "description": "...",
+      "repairMode": "standard" | "user-confirm" | "ai" | "reset" | "check-only",
+      "profile": "standard" | "experimental",
+      "dependsOn": ["config_syntax_check"],
+      "hasSkipWhen": false
+    }
+OPTIONS
+  --rule=<key>   Filter output to specific rule keys (repeatable). Returns
+                 all rules when omitted.
+EXAMPLES
+  ${BIN} rules                         # all rules
+  ${BIN} rules --rule=gateway          # single rule
+  ${BIN} rules --rule=gateway --rule=feishu_channel  # multiple rules
 `
 	},
 	{
@@ -10003,7 +9932,7 @@ function parseCtxFlag(args) {
 * (The mode itself is args[0] in the filtered set, so we skip index 0.)
 */
 function getPositionalTag(args, modeName) {
-	return args.find((a, i) => i > 0 && !a.startsWith("-") && a !== modeName);
+	return args.find((a, i) => i > 0 && !a.startsWith("--") && a !== modeName);
 }
 function getFlag(args, name) {
 	const prefix = `--${name}=`;
@@ -10344,64 +10273,6 @@ async function main() {
 			if (error) throw error;
 			break;
 		}
-		case "install-clis": {
-			const tag = getPositionalTag(args, "install-clis");
-			if (!tag) {
-				console.error("Usage: install-clis <tag> --cli=<name>... [--home_base=<dir>] [--ctx=<base64> | --oss_file_map=<base64>]");
-				node_process.default.exit(1);
-			}
-			const names = getMultiFlag(args, "cli");
-			const homeBase = getFlag(args, "home_base");
-			const ossFileMapFlag = getFlag(args, "oss_file_map");
-			let installOssFileMap;
-			let rawForTelemetry;
-			if (!ossFileMapFlag) {
-				rawForTelemetry = parseCtxFlag(args) ?? await fetchCtxViaInnerApi({
-					populate: planCtxPopulate({ command: "install" }),
-					caller,
-					traceId
-				});
-				installOssFileMap = normalizeCtx(rawForTelemetry).install.ossFileMap;
-			}
-			const ossFileMap = resolveOssFileMap({
-				ossFileMapFlag,
-				installOssFileMap
-			});
-			console.error(`[install-clis] ossFileMap=${JSON.stringify(ossFileMap)}`);
-			let feishuAppSecret;
-			if (names.includes("lark-cli")) feishuAppSecret = normalizeCtx(await fetchCtxViaInnerApi({
-				populate: { app: ["feishuAppSecret"] },
-				caller,
-				traceId
-			})).app.feishuAppSecret || void 0;
-			let success = true;
-			let error;
-			try {
-				await installClis(tag, ossFileMap, {
-					names,
-					homeBase,
-					feishuAppSecret
-				});
-			} catch (e) {
-				success = false;
-				error = e;
-			}
-			if (success) console.log(JSON.stringify({ ok: true }));
-			await reportRun("install-clis", rc, rawForTelemetry, args.join(" "), Date.now() - t0, {
-				success,
-				result: {
-					tag,
-					names
-				},
-				error
-			}, {
-				scene,
-				profile,
-				fix: false
-			});
-			if (error) throw error;
-			break;
-		}
 		case "download-resource": {
 			const tag = getPositionalTag(args, "download-resource");
 			if (!tag) {
@@ -10460,6 +10331,12 @@ async function main() {
 			if (error) throw error;
 			break;
 		}
+		case "rules": {
+			const keys = getMultiFlag(args, "rule");
+			const metas = getRuleMetas(keys.length > 0 ? keys : void 0);
+			console.log(JSON.stringify(metas));
+			break;
+		}
 		case "lark-cli-init": {
 			const appId = getFlag(args, "app-id");
 			if (!appId) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lark-apaas/openclaw-scripts-diagnose-cli",
-  "version": "0.1.7-alpha.1",
+  "version": "0.1.7-beta.0",
   "description": "CLI for OpenClaw config diagnose and repair with JSON5 support",
   "main": "dist/index.cjs",
   "bin": {