[Feature] Doctor dry-run / diff mode

[smonett]

Problem

openclaw doctor --fix and --repair apply changes to the config without showing what will change beforehand. While --non-interactive limits to safe migrations, there is no way to preview the full set of changes doctor would make before committing them.

This is risky because doctor performs both migrations (structural changes) and repairs (value changes), and the user has no way to distinguish safe normalization from potentially destructive field modifications.

Evidence

• Incident where openclaw doctor --fix silently stripped custom config fields, removing settings without warning. Required manual restoration from backup.

Workaround

I built oc-doctor-safe, a bash script that:

1. Creates a timestamped backup before any doctor operation
2. Captures doctor's intended changes without applying
3. Shows a diff of what would change
4. Generates a rollback script specific to this run
5. Requires explicit confirmation before applying
6. Supports --rollback to undo the last run

Proposed Solution

Add a --dry-run flag to openclaw doctor:

# Show what doctor would change, without changing anything
openclaw doctor --dry-run

# Show changes as a unified diff
openclaw doctor --dry-run --diff

The output should clearly distinguish:

• Migrations (structural/path changes, generally safe)
• Repairs (value changes, potentially destructive)
• Removals (fields that would be deleted)

Impact

Medium. Builds user confidence in running doctor. Prevents accidental config loss, especially after major version upgrades.

Environment

• OpenClaw 2026.4.10 (npm, macOS)

[smonett]

Consolidated into #65824 and closing. The meta issue contains this request (with 4.15 audit notes) plus 9 others — please review there.