Doctor: expose dry-run preview reports

[giodl73-repo]

Summary

Expose the structured Doctor repair work through top-level dry-run, diff, and JSON preview reporting.

This PR adds the user-facing preview surface for converted Doctor repairs:

• openclaw doctor --fix --dry-run plans converted repairs without mutating config or state.
• openclaw doctor --fix --dry-run --diff includes concrete file/config diffs when a converted check can describe them.
• openclaw doctor --fix --dry-run --json emits a machine-readable preview report with findings, changes, warnings, effects, diffs, and skipped legacy repair slots.
• Legacy repair contributions that are not converted yet are reported as skipped instead of being silently represented as previewed.
• Presentation notes stay out of JSON; notes still flow through the normal OpenClaw note surface.

The preview path also disables legacy config/state preflight migrations, so dry-run/diff does not copy legacy config or move legacy state before producing a report.

Contract

The preview report uses the same structured repair pieces returned by converted checks: findings, changes, warnings, effects, diffs, and skipped.

Checks still decide only the repair plan and effects. The runner decides whether to render that plan for human output, diff output, JSON, or a real fix.

Docs

Updated docs/cli/doctor.md so the public CLI reference no longer says --json is lint-only and now documents dry-run, diff, JSON preview fields, skipped legacy repairs, and the run(ctx) / ctx.repair health-check contract.

Verification

• pnpm docs:list
• git diff --check
• node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.core.test.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core-test-84472-preview-docs.tsbuildinfo
• node scripts/run-vitest.mjs src/flows/doctor-core-checks.test.ts src/flows/doctor-health.test.ts src/flows/doctor-health-contributions.test.ts src/cli/program/register.maintenance.test.ts
• node scripts/run-vitest.mjs src/commands/doctor-config-flow.test.ts
• codex review --base refs/remotes/fork/doctor-cron-audit-structured-repairs

Real Behavior Proof

Behavior addressed: openclaw doctor --fix --dry-run/--diff --json now emits structured preview output for converted repair checks, reports unconverted legacy repair slots as skipped, keeps presentation notes out of JSON, preserves --deep during OAuth TLS previews, uses dry-run-safe wording for skills repairs, and disables legacy config/state preflight mutations during preview.

Real environment tested: WSL source checkout on branch doctor-dry-run-contribution-guard at a2cf3c5bb7142604da5ff35357a106de568f46c5, using an isolated fake home with a legacy .clawdbot/clawdbot.json present.

Exact steps or command run after this patch: HOME=$PWD/.artifacts/proof-84472-preview/live-final/home OPENCLAW_HOME=$PWD/.artifacts/proof-84472-preview/live-final/openclaw-home OPENCLAW_DISABLE_AUTO_UPDATE=1 CI=1 timeout 180s node --import tsx src/entry.ts doctor --fix --dry-run --diff --json > .artifacts/proof-84472-preview/live-final/diff.json 2> .artifacts/proof-84472-preview/live-final/diff.stderr; then checked whether .artifacts/proof-84472-preview/live-final/home/.openclaw/openclaw.json was created.

Evidence after fix: The command exited successfully, stderr was empty, and the JSON report parsed with ok: false, mode: "dry-run", diff: true, checksRun: 29, checksRepaired: 5, findings: 49, changes: 47, effects: 47, diffs: 1, and skipped: 14. The legacy config copy check reported legacy_config_copied=no.

Observed result after fix: The preview command produced structured dry-run/diff JSON and did not copy the fake legacy .clawdbot config into .openclaw/openclaw.json.

What was not tested: Full cross-platform live Doctor repair scenarios were not run for this draft stack PR; this proof covers the new preview surface and focused Doctor contract tests in WSL.

[clawsweeper]

Codex review: needs maintainer review before merge.

Latest ClawSweeper review: 2026-05-22 22:21 UTC / May 22, 2026, 6:21 PM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR adds openclaw doctor dry-run, diff, and JSON preview reporting over structured health-check repair output, including skipped legacy repair reporting and Doctor docs updates.

Reproducibility: not applicable. as a bug reproduction. For review risk, the stack/mergeability issue is reproducible with git apply --check, and the PR body provides terminal proof for the new preview behavior.

PR rating
Overall: 🦐 gold shrimp
Proof: 🐚 platinum hermit
Patch quality: 🦐 gold shrimp
Summary: The proof is now useful, but the patch remains a broad draft stack with mergeability and public-contract risk.

Rank-up moves:

• Rebase or land the parent Doctor stack so this diff applies to current main.
• Get maintainer signoff on the preview JSON/diff/skipped schema and SDK health-check contract.
• Run broad Doctor CLI proof after the stack settles.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (terminal): The PR body includes after-patch terminal proof for the Doctor dry-run/diff JSON command in an isolated WSL setup, including parsed output and a non-mutation check.

Risk before merge

• The branch is a draft with the protected maintainer label, so it should not be auto-closed or auto-merged by cleanup.
• The downloaded PR diff does not apply cleanly to current main, so parent stack order or a rebase is required before final merge validation.
• The preview JSON/diff/skipped fields and openclaw/plugin-sdk/health runnable-check exports become public contracts once released.
• The touched Doctor preview paths cover config, service, sandbox, policy, session, and security-adjacent repairs, so maintainers need confidence that preview remains non-mutating across upgrade states.

Maintainer options:

1. Settle the Doctor stack first (recommended)
   Land or rebase the parent Doctor repair-contract PRs so this preview layer applies to current main and can be validated as one coherent CLI contract.
2. Accept the preview contract deliberately
   Maintainers can choose to own the current JSON, diff, skipped-repair, and SDK health-check shapes as the first public preview contract after review.
3. Pause until parent proof is green
   Because this PR is the user-facing layer over several open Doctor repair PRs, maintainers can keep it paused until the parent stack has broad Doctor proof.

Next step before merge
Protected-label draft plus public CLI/SDK contract and stack conflicts require maintainer review rather than an automated repair lane.

Security
Cleared: No concrete supply-chain or credential-handling regression was found in the inspected diff, but the Doctor security-sensitive preview paths still need maintainer/broad proof before merge.

Review details

Best possible solution:

Land this only after the Doctor repair stack is rebased or merged cleanly, maintainers accept the initial preview and SDK contract, and broad Doctor proof confirms preview mode stays non-mutating.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a bug reproduction. For review risk, the stack/mergeability issue is reproducible with git apply --check, and the PR body provides terminal proof for the new preview behavior.

Is this the best way to solve the issue?

Unclear until maintainer contract review: the implementation direction is coherent, but the public CLI/SDK schema and stacked branch state need explicit acceptance before merge.

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-patch terminal proof for the Doctor dry-run/diff JSON command in an isolated WSL setup, including parsed output and a non-mutation check.
• add rating: 🦐 gold shrimp: Current PR rating is 🦐 gold shrimp because proof is 🐚 platinum hermit, patch quality is 🦐 gold shrimp, and The proof is now useful, but the patch remains a broad draft stack with mergeability and public-contract risk.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body includes after-patch terminal proof for the Doctor dry-run/diff JSON command in an isolated WSL setup, including parsed output and a non-mutation check.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🦐 gold shrimp, so this older rating label is no longer current.
• remove status: 📣 needs proof: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P2: This is a normal-priority Doctor CLI feature with meaningful but bounded blast radius.
• merge-risk: 🚨 compatibility: The PR exposes new Doctor preview JSON/diff fields and public health-check SDK exports that users or plugins can depend on.
• merge-risk: 🚨 security-boundary: The preview path covers security, policy, sandbox, auth, config-audit, and service repair surfaces where non-mutating behavior must hold.
• merge-risk: 🚨 availability: The patch routes core Doctor repair/preflight behavior, so a bad merge could break openclaw doctor repair or preview runs.
• rating: 🦐 gold shrimp: Current PR rating is 🦐 gold shrimp because proof is 🐚 platinum hermit, patch quality is 🦐 gold shrimp, and The proof is now useful, but the patch remains a broad draft stack with mergeability and public-contract risk.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body includes after-patch terminal proof for the Doctor dry-run/diff JSON command in an isolated WSL setup, including parsed output and a non-mutation check.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-patch terminal proof for the Doctor dry-run/diff JSON command in an isolated WSL setup, including parsed output and a non-mutation check.

What I checked:

• Current main CLI behavior: Current main registers doctor --lint and --json as lint-only options and has no Doctor dry-run or diff preview flags. (src/cli/program/register.maintenance.ts:24, 299ed808347c)
• PR CLI surface: The PR adds --dry-run, --diff, and broader --json option text, then routes dry-run/diff into doctorCommand as repair preview options. (src/cli/program/register.maintenance.ts:24, a2cf3c5bb714)
• Preview non-mutation path: The PR makes preview mode set repair intent for Doctor flow while passing non-repair config options, suppressing presentation notes for JSON, and disabling legacy config/state preflight migrations. (src/flows/doctor-health.ts:11, a2cf3c5bb714)
• Preview report aggregation: The PR routes selected structured health checks through the repair runner and appends findings, changes, warnings, effects, diffs, and counts into the preview report. (src/flows/doctor-health-contributions.ts:440, a2cf3c5bb714)
• Public SDK contract change: The PR exports defineSplitHealthCheck and new runnable health-check types from the public openclaw/plugin-sdk/health surface, making compatibility review necessary. (src/plugin-sdk/health.ts:8, a2cf3c5bb714)
• Real behavior proof in PR body: The PR body reports a WSL source-checkout run of node --import tsx src/entry.ts doctor --fix --dry-run --diff --json against an isolated fake home, with parsed preview JSON and no legacy config copy created. (a2cf3c5bb714)

Likely related people:

• steipete: Peter Steinberger authored the Doctor flow-contribution refactor and appears repeatedly in recent Doctor/CLI/docs history for the affected files. (role: feature-history owner; confidence: high; commits: 7d6d642cb825, 755263499672; files: src/flows/doctor-health-contributions.ts, src/flows/doctor-repair-flow.ts, docs/cli/doctor.md)
• vincentkoc: Vincent Koc has recent history on Doctor health checks and nearby core refactors that affect the structured health-check surface. (role: adjacent area contributor; confidence: medium; commits: 8143b9a23ead, 74e7b8d47b18; files: src/flows/doctor-core-checks.ts, src/commands/doctor-claude-cli.ts)
• joshavant: Josh Avant worked on SecretRef and doctor/status hardening, which is relevant because this PR previews security-sensitive Doctor auth and config paths. (role: adjacent security/SecretRef contributor; confidence: medium; commits: da34f81ce237, a2cb81199e22; files: src/commands/doctor-auth.ts, src/commands/doctor-gateway-health.ts)
• gumadeiras: Gustavo Madeira Santana has history on session and cron maintenance hardening, which overlaps the PR's structured repair preview coverage. (role: adjacent session/cron contributor; confidence: medium; commits: eff3c5c70778; files: src/commands/doctor-session-locks.ts, src/commands/doctor-cron.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 299ed808347c.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Moonlit Diff Drake

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: purrs at green checks.
Image traits: location proof lagoon; accessory shell-shaped keyboard; palette violet, aqua, and starlight; mood curious; pose waving from a small platform; shell paper lantern shell; lighting tiny status-light glow; background small green status lights.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Moonlit Diff Drake in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[giodl73-repo]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26314551950
• Updated: 2026-05-22T22:22:57.932Z