@better-openclaw/core 1.0.20 → 1.0.21

package/dist/deployers/strip-host-ports.cjs

@@ -0,0 +1,138 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_chunk = require('../chunk-C0xms8kb.cjs');
+let yaml = require("yaml");
+
+//#region src/deployers/strip-host-ports.ts
+/**
+* Strips host port bindings from a Docker Compose YAML string.
+*
+* When deploying to a PaaS like Dokploy or Coolify, services don't need
+* host port mappings because routing is handled by the platform's built-in
+* reverse proxy (Traefik). Binding to host ports causes "port already
+* allocated" errors when ports are in use by other services on the server.
+*
+* Transforms port mappings:
+*   "8080:8080"        → "8080"        (container port only)
+*   "0.0.0.0:8080:80"  → "80"          (container port only)
+*   "8080:80/tcp"       → "80/tcp"      (preserves protocol)
+*   { published: 8080, target: 80 }    → { target: 80 }
+*
+* The `expose` field is left untouched since it only defines internal ports.
+*/
+/**
+* Strips host port bindings from a Docker Compose YAML string,
+* keeping only the container (target) ports.
+*
+* Returns the modified YAML string.
+*/
+function stripHostPorts(composeYaml) {
+	const doc = (0, yaml.parse)(composeYaml);
+	if (!doc?.services) return composeYaml;
+	for (const [, service] of Object.entries(doc.services)) {
+		if (!service.ports || !Array.isArray(service.ports)) continue;
+		service.ports = service.ports.map((port) => {
+			if (typeof port === "string") return stripStringPort(port);
+			if (typeof port === "object" && port !== null) return stripObjectPort(port);
+			return port;
+		});
+	}
+	return (0, yaml.stringify)(doc, { lineWidth: 200 });
+}
+/**
+* Strips host portion from a string port mapping.
+*
+* "8080:80"          → "80"
+* "0.0.0.0:8080:80"  → "80"
+* "80"               → "80"  (no change)
+* "80/tcp"           → "80/tcp"
+* "8080:80/tcp"      → "80/tcp"
+*/
+function stripStringPort(port) {
+	const protocolIdx = port.lastIndexOf("/");
+	let protocol = "";
+	let portSpec = port;
+	if (protocolIdx > 0) {
+		protocol = port.substring(protocolIdx);
+		portSpec = port.substring(0, protocolIdx);
+	}
+	const parts = portSpec.split(":");
+	return `${parts[parts.length - 1]}${protocol}`;
+}
+/**
+* Strips host/published from an object port mapping.
+*
+* { target: 80, published: 8080 }  → { target: 80 }
+*/
+function stripObjectPort(port) {
+	const { published: _, host_ip: __, ...rest } = port;
+	return rest;
+}
+/**
+* Strips local bind mounts (paths starting with `./`) from a Docker
+* Compose YAML string.
+*
+* When deploying to a PaaS like Dokploy or Coolify as a raw compose
+* stack, there is no cloned repository — so host-relative volume mounts
+* like `./postgres/init-databases.sh:/docker-entrypoint-initdb.d/...`
+* will fail because the file doesn't exist on the remote server.
+*
+* Named volumes (e.g. `redis-data:/data`) and absolute system paths
+* (e.g. `/var/run/docker.sock`) are kept intact.
+*/
+function stripLocalBindMounts(composeYaml) {
+	const doc = (0, yaml.parse)(composeYaml);
+	if (!doc?.services) return composeYaml;
+	for (const [, service] of Object.entries(doc.services)) {
+		if (!service.volumes || !Array.isArray(service.volumes)) continue;
+		service.volumes = service.volumes.filter((vol) => {
+			if (typeof vol === "string") return !vol.startsWith("./");
+			if (typeof vol === "object" && vol !== null) {
+				const src = vol.source;
+				return !(typeof src === "string" && src.startsWith("./"));
+			}
+			return true;
+		});
+		if (service.volumes.length === 0) delete service.volumes;
+	}
+	return (0, yaml.stringify)(doc, { lineWidth: 200 });
+}
+/**
+* Strips security hardening options (`cap_drop`, `cap_add`, `security_opt`)
+* from all services in a Docker Compose YAML string.
+*
+* Many Docker images (PostgreSQL, Redis, MinIO, etc.) start as root and
+* use `gosu`/`su-exec` to drop privileges to a non-root user.  This
+* requires `SETUID`, `SETGID`, and other capabilities.  The hardened
+* compose output adds `cap_drop: ALL` + `no-new-privileges`, which
+* prevents this user switch and causes containers to crash with:
+*   "failed switching to 'postgres': operation not permitted"
+*
+* PaaS platforms (Dokploy, Coolify) manage their own container security,
+* so these options are unnecessary and should be removed.
+*/
+function stripSecurityHardening(composeYaml) {
+	const doc = (0, yaml.parse)(composeYaml);
+	if (!doc?.services) return composeYaml;
+	for (const [, service] of Object.entries(doc.services)) {
+		delete service.cap_drop;
+		delete service.cap_add;
+		delete service.security_opt;
+	}
+	return (0, yaml.stringify)(doc, { lineWidth: 200 });
+}
+/**
+* Applies all PaaS-specific sanitisations to a Docker Compose YAML string:
+* 1. Strips host port bindings (avoids "port already allocated" errors)
+* 2. Strips local bind mounts (files don't exist on remote PaaS servers)
+* 3. Strips security hardening (cap_drop/security_opt break user switching)
+*/
+function sanitizeComposeForPaas(composeYaml) {
+	return stripSecurityHardening(stripLocalBindMounts(stripHostPorts(composeYaml)));
+}
+
+//#endregion
+exports.sanitizeComposeForPaas = sanitizeComposeForPaas;
+exports.stripHostPorts = stripHostPorts;
+exports.stripLocalBindMounts = stripLocalBindMounts;
+exports.stripSecurityHardening = stripSecurityHardening;
+//# sourceMappingURL=strip-host-ports.cjs.map

package/dist/deployers/strip-host-ports.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"strip-host-ports.cjs","names":[],"sources":["../../src/deployers/strip-host-ports.ts"],"sourcesContent":["/**\n * Strips host port bindings from a Docker Compose YAML string.\n *\n * When deploying to a PaaS like Dokploy or Coolify, services don't need\n * host port mappings because routing is handled by the platform's built-in\n * reverse proxy (Traefik). Binding to host ports causes \"port already\n * allocated\" errors when ports are in use by other services on the server.\n *\n * Transforms port mappings:\n *   \"8080:8080\"        → \"8080\"        (container port only)\n *   \"0.0.0.0:8080:80\"  → \"80\"          (container port only)\n *   \"8080:80/tcp\"       → \"80/tcp\"      (preserves protocol)\n *   { published: 8080, target: 80 }    → { target: 80 }\n *\n * The `expose` field is left untouched since it only defines internal ports.\n */\n\nimport { parse, stringify } from \"yaml\";\n\ninterface ComposeService {\n\tports?: (string | PortObject)[];\n\tvolumes?: (string | Record<string, unknown>)[];\n\t[key: string]: unknown;\n}\n\ninterface PortObject {\n\ttarget: number;\n\tpublished?: number | string;\n\thost_ip?: string;\n\tprotocol?: string;\n\t[key: string]: unknown;\n}\n\ninterface ComposeFile {\n\tservices?: Record<string, ComposeService>;\n\t[key: string]: unknown;\n}\n\n/**\n * Strips host port bindings from a Docker Compose YAML string,\n * keeping only the container (target) ports.\n *\n * Returns the modified YAML string.\n */\nexport function stripHostPorts(composeYaml: string): string {\n\tconst doc = parse(composeYaml) as ComposeFile;\n\n\tif (!doc?.services) return composeYaml;\n\n\tfor (const [, service] of Object.entries(doc.services)) {\n\t\tif (!service.ports || !Array.isArray(service.ports)) continue;\n\n\t\tservice.ports = service.ports.map((port) => {\n\t\t\tif (typeof port === \"string\") {\n\t\t\t\treturn stripStringPort(port);\n\t\t\t}\n\t\t\tif (typeof port === \"object\" && port !== null) {\n\t\t\t\treturn stripObjectPort(port);\n\t\t\t}\n\t\t\treturn port;\n\t\t});\n\t}\n\n\treturn stringify(doc, { lineWidth: 200 });\n}\n\n/**\n * Strips host portion from a string port mapping.\n *\n * \"8080:80\"          → \"80\"\n * \"0.0.0.0:8080:80\"  → \"80\"\n * \"80\"               → \"80\"  (no change)\n * \"80/tcp\"           → \"80/tcp\"\n * \"8080:80/tcp\"      → \"80/tcp\"\n */\nfunction stripStringPort(port: string): string {\n\t// Split off protocol if present (e.g. \"/tcp\", \"/udp\")\n\tconst protocolIdx = port.lastIndexOf(\"/\");\n\tlet protocol = \"\";\n\tlet portSpec = port;\n\n\tif (protocolIdx > 0) {\n\t\tprotocol = port.substring(protocolIdx); // includes the \"/\"\n\t\tportSpec = port.substring(0, protocolIdx);\n\t}\n\n\t// Split by \":\" — formats are:\n\t//   \"80\"                → container only\n\t//   \"8080:80\"           → host:container\n\t//   \"0.0.0.0:8080:80\"  → ip:host:container\n\tconst parts = portSpec.split(\":\");\n\n\t// Take the last part as the container port\n\tconst containerPort = parts[parts.length - 1];\n\n\treturn `${containerPort}${protocol}`;\n}\n\n/**\n * Strips host/published from an object port mapping.\n *\n * { target: 80, published: 8080 }  → { target: 80 }\n */\nfunction stripObjectPort(port: PortObject): PortObject {\n\tconst { published: _, host_ip: __, ...rest } = port;\n\treturn rest;\n}\n\n/**\n * Strips local bind mounts (paths starting with `./`) from a Docker\n * Compose YAML string.\n *\n * When deploying to a PaaS like Dokploy or Coolify as a raw compose\n * stack, there is no cloned repository — so host-relative volume mounts\n * like `./postgres/init-databases.sh:/docker-entrypoint-initdb.d/...`\n * will fail because the file doesn't exist on the remote server.\n *\n * Named volumes (e.g. `redis-data:/data`) and absolute system paths\n * (e.g. `/var/run/docker.sock`) are kept intact.\n */\nexport function stripLocalBindMounts(composeYaml: string): string {\n\tconst doc = parse(composeYaml) as ComposeFile;\n\n\tif (!doc?.services) return composeYaml;\n\n\tfor (const [, service] of Object.entries(doc.services)) {\n\t\tif (!service.volumes || !Array.isArray(service.volumes)) continue;\n\n\t\tservice.volumes = (service.volumes as (string | Record<string, unknown>)[]).filter((vol) => {\n\t\t\tif (typeof vol === \"string\") {\n\t\t\t\t// Bind mounts starting with \"./\" reference local files\n\t\t\t\treturn !vol.startsWith(\"./\");\n\t\t\t}\n\t\t\t// Object-form: { type: \"bind\", source: \"./...\" }\n\t\t\tif (typeof vol === \"object\" && vol !== null) {\n\t\t\t\tconst src = (vol as Record<string, unknown>).source;\n\t\t\t\treturn !(typeof src === \"string\" && src.startsWith(\"./\"));\n\t\t\t}\n\t\t\treturn true;\n\t\t});\n\n\t\t// Remove empty volumes array to keep YAML clean\n\t\tif (service.volumes.length === 0) {\n\t\t\tdelete service.volumes;\n\t\t}\n\t}\n\n\treturn stringify(doc, { lineWidth: 200 });\n}\n\n/**\n * Strips security hardening options (`cap_drop`, `cap_add`, `security_opt`)\n * from all services in a Docker Compose YAML string.\n *\n * Many Docker images (PostgreSQL, Redis, MinIO, etc.) start as root and\n * use `gosu`/`su-exec` to drop privileges to a non-root user.  This\n * requires `SETUID`, `SETGID`, and other capabilities.  The hardened\n * compose output adds `cap_drop: ALL` + `no-new-privileges`, which\n * prevents this user switch and causes containers to crash with:\n *   \"failed switching to 'postgres': operation not permitted\"\n *\n * PaaS platforms (Dokploy, Coolify) manage their own container security,\n * so these options are unnecessary and should be removed.\n */\nexport function stripSecurityHardening(composeYaml: string): string {\n\tconst doc = parse(composeYaml) as ComposeFile;\n\n\tif (!doc?.services) return composeYaml;\n\n\tfor (const [, service] of Object.entries(doc.services)) {\n\t\tdelete service.cap_drop;\n\t\tdelete service.cap_add;\n\t\tdelete service.security_opt;\n\t}\n\n\treturn stringify(doc, { lineWidth: 200 });\n}\n\n/**\n * Applies all PaaS-specific sanitisations to a Docker Compose YAML string:\n * 1. Strips host port bindings (avoids \"port already allocated\" errors)\n * 2. Strips local bind mounts (files don't exist on remote PaaS servers)\n * 3. Strips security hardening (cap_drop/security_opt break user switching)\n */\nexport function sanitizeComposeForPaas(composeYaml: string): string {\n\treturn stripSecurityHardening(stripLocalBindMounts(stripHostPorts(composeYaml)));\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;AA4CA,SAAgB,eAAe,aAA6B;CAC3D,MAAM,sBAAY,YAAY;AAE9B,KAAI,CAAC,KAAK,SAAU,QAAO;AAE3B,MAAK,MAAM,GAAG,YAAY,OAAO,QAAQ,IAAI,SAAS,EAAE;AACvD,MAAI,CAAC,QAAQ,SAAS,CAAC,MAAM,QAAQ,QAAQ,MAAM,CAAE;AAErD,UAAQ,QAAQ,QAAQ,MAAM,KAAK,SAAS;AAC3C,OAAI,OAAO,SAAS,SACnB,QAAO,gBAAgB,KAAK;AAE7B,OAAI,OAAO,SAAS,YAAY,SAAS,KACxC,QAAO,gBAAgB,KAAK;AAE7B,UAAO;IACN;;AAGH,4BAAiB,KAAK,EAAE,WAAW,KAAK,CAAC;;;;;;;;;;;AAY1C,SAAS,gBAAgB,MAAsB;CAE9C,MAAM,cAAc,KAAK,YAAY,IAAI;CACzC,IAAI,WAAW;CACf,IAAI,WAAW;AAEf,KAAI,cAAc,GAAG;AACpB,aAAW,KAAK,UAAU,YAAY;AACtC,aAAW,KAAK,UAAU,GAAG,YAAY;;CAO1C,MAAM,QAAQ,SAAS,MAAM,IAAI;AAKjC,QAAO,GAFe,MAAM,MAAM,SAAS,KAEjB;;;;;;;AAQ3B,SAAS,gBAAgB,MAA8B;CACtD,MAAM,EAAE,WAAW,GAAG,SAAS,IAAI,GAAG,SAAS;AAC/C,QAAO;;;;;;;;;;;;;;AAeR,SAAgB,qBAAqB,aAA6B;CACjE,MAAM,sBAAY,YAAY;AAE9B,KAAI,CAAC,KAAK,SAAU,QAAO;AAE3B,MAAK,MAAM,GAAG,YAAY,OAAO,QAAQ,IAAI,SAAS,EAAE;AACvD,MAAI,CAAC,QAAQ,WAAW,CAAC,MAAM,QAAQ,QAAQ,QAAQ,CAAE;AAEzD,UAAQ,UAAW,QAAQ,QAAiD,QAAQ,QAAQ;AAC3F,OAAI,OAAO,QAAQ,SAElB,QAAO,CAAC,IAAI,WAAW,KAAK;AAG7B,OAAI,OAAO,QAAQ,YAAY,QAAQ,MAAM;IAC5C,MAAM,MAAO,IAAgC;AAC7C,WAAO,EAAE,OAAO,QAAQ,YAAY,IAAI,WAAW,KAAK;;AAEzD,UAAO;IACN;AAGF,MAAI,QAAQ,QAAQ,WAAW,EAC9B,QAAO,QAAQ;;AAIjB,4BAAiB,KAAK,EAAE,WAAW,KAAK,CAAC;;;;;;;;;;;;;;;;AAiB1C,SAAgB,uBAAuB,aAA6B;CACnE,MAAM,sBAAY,YAAY;AAE9B,KAAI,CAAC,KAAK,SAAU,QAAO;AAE3B,MAAK,MAAM,GAAG,YAAY,OAAO,QAAQ,IAAI,SAAS,EAAE;AACvD,SAAO,QAAQ;AACf,SAAO,QAAQ;AACf,SAAO,QAAQ;;AAGhB,4BAAiB,KAAK,EAAE,WAAW,KAAK,CAAC;;;;;;;;AAS1C,SAAgB,uBAAuB,aAA6B;AACnE,QAAO,uBAAuB,qBAAqB,eAAe,YAAY,CAAC,CAAC"}

package/dist/deployers/strip-host-ports.d.cts

@@ -0,0 +1,62 @@
+//#region src/deployers/strip-host-ports.d.ts
+/**
+ * Strips host port bindings from a Docker Compose YAML string.
+ *
+ * When deploying to a PaaS like Dokploy or Coolify, services don't need
+ * host port mappings because routing is handled by the platform's built-in
+ * reverse proxy (Traefik). Binding to host ports causes "port already
+ * allocated" errors when ports are in use by other services on the server.
+ *
+ * Transforms port mappings:
+ *   "8080:8080"        → "8080"        (container port only)
+ *   "0.0.0.0:8080:80"  → "80"          (container port only)
+ *   "8080:80/tcp"       → "80/tcp"      (preserves protocol)
+ *   { published: 8080, target: 80 }    → { target: 80 }
+ *
+ * The `expose` field is left untouched since it only defines internal ports.
+ */
+/**
+ * Strips host port bindings from a Docker Compose YAML string,
+ * keeping only the container (target) ports.
+ *
+ * Returns the modified YAML string.
+ */
+declare function stripHostPorts(composeYaml: string): string;
+/**
+ * Strips local bind mounts (paths starting with `./`) from a Docker
+ * Compose YAML string.
+ *
+ * When deploying to a PaaS like Dokploy or Coolify as a raw compose
+ * stack, there is no cloned repository — so host-relative volume mounts
+ * like `./postgres/init-databases.sh:/docker-entrypoint-initdb.d/...`
+ * will fail because the file doesn't exist on the remote server.
+ *
+ * Named volumes (e.g. `redis-data:/data`) and absolute system paths
+ * (e.g. `/var/run/docker.sock`) are kept intact.
+ */
+declare function stripLocalBindMounts(composeYaml: string): string;
+/**
+ * Strips security hardening options (`cap_drop`, `cap_add`, `security_opt`)
+ * from all services in a Docker Compose YAML string.
+ *
+ * Many Docker images (PostgreSQL, Redis, MinIO, etc.) start as root and
+ * use `gosu`/`su-exec` to drop privileges to a non-root user.  This
+ * requires `SETUID`, `SETGID`, and other capabilities.  The hardened
+ * compose output adds `cap_drop: ALL` + `no-new-privileges`, which
+ * prevents this user switch and causes containers to crash with:
+ *   "failed switching to 'postgres': operation not permitted"
+ *
+ * PaaS platforms (Dokploy, Coolify) manage their own container security,
+ * so these options are unnecessary and should be removed.
+ */
+declare function stripSecurityHardening(composeYaml: string): string;
+/**
+ * Applies all PaaS-specific sanitisations to a Docker Compose YAML string:
+ * 1. Strips host port bindings (avoids "port already allocated" errors)
+ * 2. Strips local bind mounts (files don't exist on remote PaaS servers)
+ * 3. Strips security hardening (cap_drop/security_opt break user switching)
+ */
+declare function sanitizeComposeForPaas(composeYaml: string): string;
+//#endregion
+export { sanitizeComposeForPaas, stripHostPorts, stripLocalBindMounts, stripSecurityHardening };
+//# sourceMappingURL=strip-host-ports.d.cts.map

package/dist/deployers/strip-host-ports.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"strip-host-ports.d.cts","names":[],"sources":["../../src/deployers/strip-host-ports.ts"],"mappings":";;AA4CA;;;;;AA4EA;;;;;AA4CA;;;;;AAoBA;;;;;;AAAA,iBA5IgB,cAAA,CAAe,WAAA;;;;;;;;;;;;;iBA4Ef,oBAAA,CAAqB,WAAA;;;;;;;;;;;;;;;iBA4CrB,sBAAA,CAAuB,WAAA;;;;;;;iBAoBvB,sBAAA,CAAuB,WAAA"}

package/dist/deployers/strip-host-ports.d.mts

@@ -0,0 +1,62 @@
+//#region src/deployers/strip-host-ports.d.ts
+/**
+ * Strips host port bindings from a Docker Compose YAML string.
+ *
+ * When deploying to a PaaS like Dokploy or Coolify, services don't need
+ * host port mappings because routing is handled by the platform's built-in
+ * reverse proxy (Traefik). Binding to host ports causes "port already
+ * allocated" errors when ports are in use by other services on the server.
+ *
+ * Transforms port mappings:
+ *   "8080:8080"        → "8080"        (container port only)
+ *   "0.0.0.0:8080:80"  → "80"          (container port only)
+ *   "8080:80/tcp"       → "80/tcp"      (preserves protocol)
+ *   { published: 8080, target: 80 }    → { target: 80 }
+ *
+ * The `expose` field is left untouched since it only defines internal ports.
+ */
+/**
+ * Strips host port bindings from a Docker Compose YAML string,
+ * keeping only the container (target) ports.
+ *
+ * Returns the modified YAML string.
+ */
+declare function stripHostPorts(composeYaml: string): string;
+/**
+ * Strips local bind mounts (paths starting with `./`) from a Docker
+ * Compose YAML string.
+ *
+ * When deploying to a PaaS like Dokploy or Coolify as a raw compose
+ * stack, there is no cloned repository — so host-relative volume mounts
+ * like `./postgres/init-databases.sh:/docker-entrypoint-initdb.d/...`
+ * will fail because the file doesn't exist on the remote server.
+ *
+ * Named volumes (e.g. `redis-data:/data`) and absolute system paths
+ * (e.g. `/var/run/docker.sock`) are kept intact.
+ */
+declare function stripLocalBindMounts(composeYaml: string): string;
+/**
+ * Strips security hardening options (`cap_drop`, `cap_add`, `security_opt`)
+ * from all services in a Docker Compose YAML string.
+ *
+ * Many Docker images (PostgreSQL, Redis, MinIO, etc.) start as root and
+ * use `gosu`/`su-exec` to drop privileges to a non-root user.  This
+ * requires `SETUID`, `SETGID`, and other capabilities.  The hardened
+ * compose output adds `cap_drop: ALL` + `no-new-privileges`, which
+ * prevents this user switch and causes containers to crash with:
+ *   "failed switching to 'postgres': operation not permitted"
+ *
+ * PaaS platforms (Dokploy, Coolify) manage their own container security,
+ * so these options are unnecessary and should be removed.
+ */
+declare function stripSecurityHardening(composeYaml: string): string;
+/**
+ * Applies all PaaS-specific sanitisations to a Docker Compose YAML string:
+ * 1. Strips host port bindings (avoids "port already allocated" errors)
+ * 2. Strips local bind mounts (files don't exist on remote PaaS servers)
+ * 3. Strips security hardening (cap_drop/security_opt break user switching)
+ */
+declare function sanitizeComposeForPaas(composeYaml: string): string;
+//#endregion
+export { sanitizeComposeForPaas, stripHostPorts, stripLocalBindMounts, stripSecurityHardening };
+//# sourceMappingURL=strip-host-ports.d.mts.map

package/dist/deployers/strip-host-ports.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"strip-host-ports.d.mts","names":[],"sources":["../../src/deployers/strip-host-ports.ts"],"mappings":";;AA4CA;;;;;AA4EA;;;;;AA4CA;;;;;AAoBA;;;;;;AAAA,iBA5IgB,cAAA,CAAe,WAAA;;;;;;;;;;;;;iBA4Ef,oBAAA,CAAqB,WAAA;;;;;;;;;;;;;;;iBA4CrB,sBAAA,CAAuB,WAAA;;;;;;;iBAoBvB,sBAAA,CAAuB,WAAA"}

package/dist/deployers/strip-host-ports.mjs

@@ -0,0 +1,133 @@
+import { parse, stringify } from "yaml";
+
+//#region src/deployers/strip-host-ports.ts
+/**
+* Strips host port bindings from a Docker Compose YAML string.
+*
+* When deploying to a PaaS like Dokploy or Coolify, services don't need
+* host port mappings because routing is handled by the platform's built-in
+* reverse proxy (Traefik). Binding to host ports causes "port already
+* allocated" errors when ports are in use by other services on the server.
+*
+* Transforms port mappings:
+*   "8080:8080"        → "8080"        (container port only)
+*   "0.0.0.0:8080:80"  → "80"          (container port only)
+*   "8080:80/tcp"       → "80/tcp"      (preserves protocol)
+*   { published: 8080, target: 80 }    → { target: 80 }
+*
+* The `expose` field is left untouched since it only defines internal ports.
+*/
+/**
+* Strips host port bindings from a Docker Compose YAML string,
+* keeping only the container (target) ports.
+*
+* Returns the modified YAML string.
+*/
+function stripHostPorts(composeYaml) {
+	const doc = parse(composeYaml);
+	if (!doc?.services) return composeYaml;
+	for (const [, service] of Object.entries(doc.services)) {
+		if (!service.ports || !Array.isArray(service.ports)) continue;
+		service.ports = service.ports.map((port) => {
+			if (typeof port === "string") return stripStringPort(port);
+			if (typeof port === "object" && port !== null) return stripObjectPort(port);
+			return port;
+		});
+	}
+	return stringify(doc, { lineWidth: 200 });
+}
+/**
+* Strips host portion from a string port mapping.
+*
+* "8080:80"          → "80"
+* "0.0.0.0:8080:80"  → "80"
+* "80"               → "80"  (no change)
+* "80/tcp"           → "80/tcp"
+* "8080:80/tcp"      → "80/tcp"
+*/
+function stripStringPort(port) {
+	const protocolIdx = port.lastIndexOf("/");
+	let protocol = "";
+	let portSpec = port;
+	if (protocolIdx > 0) {
+		protocol = port.substring(protocolIdx);
+		portSpec = port.substring(0, protocolIdx);
+	}
+	const parts = portSpec.split(":");
+	return `${parts[parts.length - 1]}${protocol}`;
+}
+/**
+* Strips host/published from an object port mapping.
+*
+* { target: 80, published: 8080 }  → { target: 80 }
+*/
+function stripObjectPort(port) {
+	const { published: _, host_ip: __, ...rest } = port;
+	return rest;
+}
+/**
+* Strips local bind mounts (paths starting with `./`) from a Docker
+* Compose YAML string.
+*
+* When deploying to a PaaS like Dokploy or Coolify as a raw compose
+* stack, there is no cloned repository — so host-relative volume mounts
+* like `./postgres/init-databases.sh:/docker-entrypoint-initdb.d/...`
+* will fail because the file doesn't exist on the remote server.
+*
+* Named volumes (e.g. `redis-data:/data`) and absolute system paths
+* (e.g. `/var/run/docker.sock`) are kept intact.
+*/
+function stripLocalBindMounts(composeYaml) {
+	const doc = parse(composeYaml);
+	if (!doc?.services) return composeYaml;
+	for (const [, service] of Object.entries(doc.services)) {
+		if (!service.volumes || !Array.isArray(service.volumes)) continue;
+		service.volumes = service.volumes.filter((vol) => {
+			if (typeof vol === "string") return !vol.startsWith("./");
+			if (typeof vol === "object" && vol !== null) {
+				const src = vol.source;
+				return !(typeof src === "string" && src.startsWith("./"));
+			}
+			return true;
+		});
+		if (service.volumes.length === 0) delete service.volumes;
+	}
+	return stringify(doc, { lineWidth: 200 });
+}
+/**
+* Strips security hardening options (`cap_drop`, `cap_add`, `security_opt`)
+* from all services in a Docker Compose YAML string.
+*
+* Many Docker images (PostgreSQL, Redis, MinIO, etc.) start as root and
+* use `gosu`/`su-exec` to drop privileges to a non-root user.  This
+* requires `SETUID`, `SETGID`, and other capabilities.  The hardened
+* compose output adds `cap_drop: ALL` + `no-new-privileges`, which
+* prevents this user switch and causes containers to crash with:
+*   "failed switching to 'postgres': operation not permitted"
+*
+* PaaS platforms (Dokploy, Coolify) manage their own container security,
+* so these options are unnecessary and should be removed.
+*/
+function stripSecurityHardening(composeYaml) {
+	const doc = parse(composeYaml);
+	if (!doc?.services) return composeYaml;
+	for (const [, service] of Object.entries(doc.services)) {
+		delete service.cap_drop;
+		delete service.cap_add;
+		delete service.security_opt;
+	}
+	return stringify(doc, { lineWidth: 200 });
+}
+/**
+* Applies all PaaS-specific sanitisations to a Docker Compose YAML string:
+* 1. Strips host port bindings (avoids "port already allocated" errors)
+* 2. Strips local bind mounts (files don't exist on remote PaaS servers)
+* 3. Strips security hardening (cap_drop/security_opt break user switching)
+*/
+function sanitizeComposeForPaas(composeYaml) {
+	return stripSecurityHardening(stripLocalBindMounts(stripHostPorts(composeYaml)));
+}
+
+//#endregion
+export { sanitizeComposeForPaas, stripHostPorts, stripLocalBindMounts, stripSecurityHardening };
+//# sourceMappingURL=strip-host-ports.mjs.map

package/dist/deployers/strip-host-ports.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"strip-host-ports.mjs","names":[],"sources":["../../src/deployers/strip-host-ports.ts"],"sourcesContent":["/**\n * Strips host port bindings from a Docker Compose YAML string.\n *\n * When deploying to a PaaS like Dokploy or Coolify, services don't need\n * host port mappings because routing is handled by the platform's built-in\n * reverse proxy (Traefik). Binding to host ports causes \"port already\n * allocated\" errors when ports are in use by other services on the server.\n *\n * Transforms port mappings:\n *   \"8080:8080\"        → \"8080\"        (container port only)\n *   \"0.0.0.0:8080:80\"  → \"80\"          (container port only)\n *   \"8080:80/tcp\"       → \"80/tcp\"      (preserves protocol)\n *   { published: 8080, target: 80 }    → { target: 80 }\n *\n * The `expose` field is left untouched since it only defines internal ports.\n */\n\nimport { parse, stringify } from \"yaml\";\n\ninterface ComposeService {\n\tports?: (string | PortObject)[];\n\tvolumes?: (string | Record<string, unknown>)[];\n\t[key: string]: unknown;\n}\n\ninterface PortObject {\n\ttarget: number;\n\tpublished?: number | string;\n\thost_ip?: string;\n\tprotocol?: string;\n\t[key: string]: unknown;\n}\n\ninterface ComposeFile {\n\tservices?: Record<string, ComposeService>;\n\t[key: string]: unknown;\n}\n\n/**\n * Strips host port bindings from a Docker Compose YAML string,\n * keeping only the container (target) ports.\n *\n * Returns the modified YAML string.\n */\nexport function stripHostPorts(composeYaml: string): string {\n\tconst doc = parse(composeYaml) as ComposeFile;\n\n\tif (!doc?.services) return composeYaml;\n\n\tfor (const [, service] of Object.entries(doc.services)) {\n\t\tif (!service.ports || !Array.isArray(service.ports)) continue;\n\n\t\tservice.ports = service.ports.map((port) => {\n\t\t\tif (typeof port === \"string\") {\n\t\t\t\treturn stripStringPort(port);\n\t\t\t}\n\t\t\tif (typeof port === \"object\" && port !== null) {\n\t\t\t\treturn stripObjectPort(port);\n\t\t\t}\n\t\t\treturn port;\n\t\t});\n\t}\n\n\treturn stringify(doc, { lineWidth: 200 });\n}\n\n/**\n * Strips host portion from a string port mapping.\n *\n * \"8080:80\"          → \"80\"\n * \"0.0.0.0:8080:80\"  → \"80\"\n * \"80\"               → \"80\"  (no change)\n * \"80/tcp\"           → \"80/tcp\"\n * \"8080:80/tcp\"      → \"80/tcp\"\n */\nfunction stripStringPort(port: string): string {\n\t// Split off protocol if present (e.g. \"/tcp\", \"/udp\")\n\tconst protocolIdx = port.lastIndexOf(\"/\");\n\tlet protocol = \"\";\n\tlet portSpec = port;\n\n\tif (protocolIdx > 0) {\n\t\tprotocol = port.substring(protocolIdx); // includes the \"/\"\n\t\tportSpec = port.substring(0, protocolIdx);\n\t}\n\n\t// Split by \":\" — formats are:\n\t//   \"80\"                → container only\n\t//   \"8080:80\"           → host:container\n\t//   \"0.0.0.0:8080:80\"  → ip:host:container\n\tconst parts = portSpec.split(\":\");\n\n\t// Take the last part as the container port\n\tconst containerPort = parts[parts.length - 1];\n\n\treturn `${containerPort}${protocol}`;\n}\n\n/**\n * Strips host/published from an object port mapping.\n *\n * { target: 80, published: 8080 }  → { target: 80 }\n */\nfunction stripObjectPort(port: PortObject): PortObject {\n\tconst { published: _, host_ip: __, ...rest } = port;\n\treturn rest;\n}\n\n/**\n * Strips local bind mounts (paths starting with `./`) from a Docker\n * Compose YAML string.\n *\n * When deploying to a PaaS like Dokploy or Coolify as a raw compose\n * stack, there is no cloned repository — so host-relative volume mounts\n * like `./postgres/init-databases.sh:/docker-entrypoint-initdb.d/...`\n * will fail because the file doesn't exist on the remote server.\n *\n * Named volumes (e.g. `redis-data:/data`) and absolute system paths\n * (e.g. `/var/run/docker.sock`) are kept intact.\n */\nexport function stripLocalBindMounts(composeYaml: string): string {\n\tconst doc = parse(composeYaml) as ComposeFile;\n\n\tif (!doc?.services) return composeYaml;\n\n\tfor (const [, service] of Object.entries(doc.services)) {\n\t\tif (!service.volumes || !Array.isArray(service.volumes)) continue;\n\n\t\tservice.volumes = (service.volumes as (string | Record<string, unknown>)[]).filter((vol) => {\n\t\t\tif (typeof vol === \"string\") {\n\t\t\t\t// Bind mounts starting with \"./\" reference local files\n\t\t\t\treturn !vol.startsWith(\"./\");\n\t\t\t}\n\t\t\t// Object-form: { type: \"bind\", source: \"./...\" }\n\t\t\tif (typeof vol === \"object\" && vol !== null) {\n\t\t\t\tconst src = (vol as Record<string, unknown>).source;\n\t\t\t\treturn !(typeof src === \"string\" && src.startsWith(\"./\"));\n\t\t\t}\n\t\t\treturn true;\n\t\t});\n\n\t\t// Remove empty volumes array to keep YAML clean\n\t\tif (service.volumes.length === 0) {\n\t\t\tdelete service.volumes;\n\t\t}\n\t}\n\n\treturn stringify(doc, { lineWidth: 200 });\n}\n\n/**\n * Strips security hardening options (`cap_drop`, `cap_add`, `security_opt`)\n * from all services in a Docker Compose YAML string.\n *\n * Many Docker images (PostgreSQL, Redis, MinIO, etc.) start as root and\n * use `gosu`/`su-exec` to drop privileges to a non-root user.  This\n * requires `SETUID`, `SETGID`, and other capabilities.  The hardened\n * compose output adds `cap_drop: ALL` + `no-new-privileges`, which\n * prevents this user switch and causes containers to crash with:\n *   \"failed switching to 'postgres': operation not permitted\"\n *\n * PaaS platforms (Dokploy, Coolify) manage their own container security,\n * so these options are unnecessary and should be removed.\n */\nexport function stripSecurityHardening(composeYaml: string): string {\n\tconst doc = parse(composeYaml) as ComposeFile;\n\n\tif (!doc?.services) return composeYaml;\n\n\tfor (const [, service] of Object.entries(doc.services)) {\n\t\tdelete service.cap_drop;\n\t\tdelete service.cap_add;\n\t\tdelete service.security_opt;\n\t}\n\n\treturn stringify(doc, { lineWidth: 200 });\n}\n\n/**\n * Applies all PaaS-specific sanitisations to a Docker Compose YAML string:\n * 1. Strips host port bindings (avoids \"port already allocated\" errors)\n * 2. Strips local bind mounts (files don't exist on remote PaaS servers)\n * 3. Strips security hardening (cap_drop/security_opt break user switching)\n */\nexport function sanitizeComposeForPaas(composeYaml: string): string {\n\treturn stripSecurityHardening(stripLocalBindMounts(stripHostPorts(composeYaml)));\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AA4CA,SAAgB,eAAe,aAA6B;CAC3D,MAAM,MAAM,MAAM,YAAY;AAE9B,KAAI,CAAC,KAAK,SAAU,QAAO;AAE3B,MAAK,MAAM,GAAG,YAAY,OAAO,QAAQ,IAAI,SAAS,EAAE;AACvD,MAAI,CAAC,QAAQ,SAAS,CAAC,MAAM,QAAQ,QAAQ,MAAM,CAAE;AAErD,UAAQ,QAAQ,QAAQ,MAAM,KAAK,SAAS;AAC3C,OAAI,OAAO,SAAS,SACnB,QAAO,gBAAgB,KAAK;AAE7B,OAAI,OAAO,SAAS,YAAY,SAAS,KACxC,QAAO,gBAAgB,KAAK;AAE7B,UAAO;IACN;;AAGH,QAAO,UAAU,KAAK,EAAE,WAAW,KAAK,CAAC;;;;;;;;;;;AAY1C,SAAS,gBAAgB,MAAsB;CAE9C,MAAM,cAAc,KAAK,YAAY,IAAI;CACzC,IAAI,WAAW;CACf,IAAI,WAAW;AAEf,KAAI,cAAc,GAAG;AACpB,aAAW,KAAK,UAAU,YAAY;AACtC,aAAW,KAAK,UAAU,GAAG,YAAY;;CAO1C,MAAM,QAAQ,SAAS,MAAM,IAAI;AAKjC,QAAO,GAFe,MAAM,MAAM,SAAS,KAEjB;;;;;;;AAQ3B,SAAS,gBAAgB,MAA8B;CACtD,MAAM,EAAE,WAAW,GAAG,SAAS,IAAI,GAAG,SAAS;AAC/C,QAAO;;;;;;;;;;;;;;AAeR,SAAgB,qBAAqB,aAA6B;CACjE,MAAM,MAAM,MAAM,YAAY;AAE9B,KAAI,CAAC,KAAK,SAAU,QAAO;AAE3B,MAAK,MAAM,GAAG,YAAY,OAAO,QAAQ,IAAI,SAAS,EAAE;AACvD,MAAI,CAAC,QAAQ,WAAW,CAAC,MAAM,QAAQ,QAAQ,QAAQ,CAAE;AAEzD,UAAQ,UAAW,QAAQ,QAAiD,QAAQ,QAAQ;AAC3F,OAAI,OAAO,QAAQ,SAElB,QAAO,CAAC,IAAI,WAAW,KAAK;AAG7B,OAAI,OAAO,QAAQ,YAAY,QAAQ,MAAM;IAC5C,MAAM,MAAO,IAAgC;AAC7C,WAAO,EAAE,OAAO,QAAQ,YAAY,IAAI,WAAW,KAAK;;AAEzD,UAAO;IACN;AAGF,MAAI,QAAQ,QAAQ,WAAW,EAC9B,QAAO,QAAQ;;AAIjB,QAAO,UAAU,KAAK,EAAE,WAAW,KAAK,CAAC;;;;;;;;;;;;;;;;AAiB1C,SAAgB,uBAAuB,aAA6B;CACnE,MAAM,MAAM,MAAM,YAAY;AAE9B,KAAI,CAAC,KAAK,SAAU,QAAO;AAE3B,MAAK,MAAM,GAAG,YAAY,OAAO,QAAQ,IAAI,SAAS,EAAE;AACvD,SAAO,QAAQ;AACf,SAAO,QAAQ;AACf,SAAO,QAAQ;;AAGhB,QAAO,UAAU,KAAK,EAAE,WAAW,KAAK,CAAC;;;;;;;;AAS1C,SAAgB,uBAAuB,aAA6B;AACnE,QAAO,uBAAuB,qBAAqB,eAAe,YAAY,CAAC,CAAC"}

package/dist/deployers/strip-host-ports.test.cjs

@@ -0,0 +1,89 @@
+const require_vi_2VT5v0um = require('../vi.2VT5v0um-BmRMvymT.cjs');
+const require_deployers_strip_host_ports = require('./strip-host-ports.cjs');
+
+//#region src/deployers/strip-host-ports.test.ts
+require_vi_2VT5v0um.describe("stripHostPorts", () => {
+	require_vi_2VT5v0um.it("strips host port from short syntax (host:container)", () => {
+		const result = require_deployers_strip_host_ports.stripHostPorts(`
+services:
+  web:
+    image: nginx
+    ports:
+      - "8080:80"
+      - "443:443"
+`);
+		require_vi_2VT5v0um.globalExpect(result).toContain("\"80\"");
+		require_vi_2VT5v0um.globalExpect(result).toContain("\"443\"");
+		require_vi_2VT5v0um.globalExpect(result).not.toContain("8080");
+	});
+	require_vi_2VT5v0um.it("strips host IP and port from extended short syntax", () => {
+		const result = require_deployers_strip_host_ports.stripHostPorts(`
+services:
+  web:
+    image: nginx
+    ports:
+      - "0.0.0.0:8080:80"
+`);
+		require_vi_2VT5v0um.globalExpect(result).toContain("\"80\"");
+		require_vi_2VT5v0um.globalExpect(result).not.toContain("8080");
+		require_vi_2VT5v0um.globalExpect(result).not.toContain("0.0.0.0");
+	});
+	require_vi_2VT5v0um.it("preserves protocol suffix", () => {
+		const result = require_deployers_strip_host_ports.stripHostPorts(`
+services:
+  web:
+    image: nginx
+    ports:
+      - "8080:80/tcp"
+      - "5353:53/udp"
+`);
+		require_vi_2VT5v0um.globalExpect(result).toContain("80/tcp");
+		require_vi_2VT5v0um.globalExpect(result).toContain("53/udp");
+		require_vi_2VT5v0um.globalExpect(result).not.toContain("8080");
+		require_vi_2VT5v0um.globalExpect(result).not.toContain("5353");
+	});
+	require_vi_2VT5v0um.it("keeps container-only ports unchanged", () => {
+		require_vi_2VT5v0um.globalExpect(require_deployers_strip_host_ports.stripHostPorts(`
+services:
+  web:
+    image: nginx
+    ports:
+      - "80"
+`)).toContain("\"80\"");
+	});
+	require_vi_2VT5v0um.it("handles multiple services", () => {
+		const result = require_deployers_strip_host_ports.stripHostPorts(`
+services:
+  web:
+    image: nginx
+    ports:
+      - "8080:80"
+  redis:
+    image: redis
+    ports:
+      - "6379:6379"
+  searxng:
+    image: searxng/searxng
+    ports:
+      - "8888:8080"
+`);
+		require_vi_2VT5v0um.globalExpect(result).toContain("\"80\"");
+		require_vi_2VT5v0um.globalExpect(result).toContain("\"6379\"");
+		require_vi_2VT5v0um.globalExpect(result).toContain("\"8080\"");
+		require_vi_2VT5v0um.globalExpect(result).not.toContain("8888");
+	});
+	require_vi_2VT5v0um.it("returns original YAML if no services section", () => {
+		const yaml = `version: "3"`;
+		require_vi_2VT5v0um.globalExpect(require_deployers_strip_host_ports.stripHostPorts(yaml)).toBe(yaml);
+	});
+	require_vi_2VT5v0um.it("handles services with no ports", () => {
+		require_vi_2VT5v0um.globalExpect(require_deployers_strip_host_ports.stripHostPorts(`
+services:
+  web:
+    image: nginx
+`)).toContain("nginx");
+	});
+});
+
+//#endregion
+//# sourceMappingURL=strip-host-ports.test.cjs.map

package/dist/deployers/strip-host-ports.test.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"strip-host-ports.test.cjs","names":["describe","stripHostPorts"],"sources":["../../src/deployers/strip-host-ports.test.ts"],"sourcesContent":["import { describe, expect, it } from \"vitest\";\nimport { stripHostPorts } from \"./strip-host-ports.js\";\n\ndescribe(\"stripHostPorts\", () => {\n\tit(\"strips host port from short syntax (host:container)\", () => {\n\t\tconst yaml = `\nservices:\n  web:\n    image: nginx\n    ports:\n      - \"8080:80\"\n      - \"443:443\"\n`;\n\t\tconst result = stripHostPorts(yaml);\n\t\texpect(result).toContain('\"80\"');\n\t\texpect(result).toContain('\"443\"');\n\t\texpect(result).not.toContain(\"8080\");\n\t});\n\n\tit(\"strips host IP and port from extended short syntax\", () => {\n\t\tconst yaml = `\nservices:\n  web:\n    image: nginx\n    ports:\n      - \"0.0.0.0:8080:80\"\n`;\n\t\tconst result = stripHostPorts(yaml);\n\t\texpect(result).toContain('\"80\"');\n\t\texpect(result).not.toContain(\"8080\");\n\t\texpect(result).not.toContain(\"0.0.0.0\");\n\t});\n\n\tit(\"preserves protocol suffix\", () => {\n\t\tconst yaml = `\nservices:\n  web:\n    image: nginx\n    ports:\n      - \"8080:80/tcp\"\n      - \"5353:53/udp\"\n`;\n\t\tconst result = stripHostPorts(yaml);\n\t\texpect(result).toContain(\"80/tcp\");\n\t\texpect(result).toContain(\"53/udp\");\n\t\texpect(result).not.toContain(\"8080\");\n\t\texpect(result).not.toContain(\"5353\");\n\t});\n\n\tit(\"keeps container-only ports unchanged\", () => {\n\t\tconst yaml = `\nservices:\n  web:\n    image: nginx\n    ports:\n      - \"80\"\n`;\n\t\tconst result = stripHostPorts(yaml);\n\t\texpect(result).toContain('\"80\"');\n\t});\n\n\tit(\"handles multiple services\", () => {\n\t\tconst yaml = `\nservices:\n  web:\n    image: nginx\n    ports:\n      - \"8080:80\"\n  redis:\n    image: redis\n    ports:\n      - \"6379:6379\"\n  searxng:\n    image: searxng/searxng\n    ports:\n      - \"8888:8080\"\n`;\n\t\tconst result = stripHostPorts(yaml);\n\t\texpect(result).toContain('\"80\"');\n\t\texpect(result).toContain('\"6379\"');\n\t\texpect(result).toContain('\"8080\"');\n\t\texpect(result).not.toContain(\"8888\");\n\t});\n\n\tit(\"returns original YAML if no services section\", () => {\n\t\tconst yaml = `version: \"3\"`;\n\t\tconst result = stripHostPorts(yaml);\n\t\texpect(result).toBe(yaml);\n\t});\n\n\tit(\"handles services with no ports\", () => {\n\t\tconst yaml = `\nservices:\n  web:\n    image: nginx\n`;\n\t\tconst result = stripHostPorts(yaml);\n\t\texpect(result).toContain(\"nginx\");\n\t});\n});\n"],"mappings":";;;;AAGAA,6BAAS,wBAAwB;AAChC,wBAAG,6DAA6D;EAS/D,MAAM,SAASC,kDARF;;;;;;;EAQsB;AACnC,mCAAO,OAAO,CAAC,UAAU,SAAO;AAChC,mCAAO,OAAO,CAAC,UAAU,UAAQ;AACjC,mCAAO,OAAO,CAAC,IAAI,UAAU,OAAO;GACnC;AAEF,wBAAG,4DAA4D;EAQ9D,MAAM,SAASA,kDAPF;;;;;;EAOsB;AACnC,mCAAO,OAAO,CAAC,UAAU,SAAO;AAChC,mCAAO,OAAO,CAAC,IAAI,UAAU,OAAO;AACpC,mCAAO,OAAO,CAAC,IAAI,UAAU,UAAU;GACtC;AAEF,wBAAG,mCAAmC;EASrC,MAAM,SAASA,kDARF;;;;;;;EAQsB;AACnC,mCAAO,OAAO,CAAC,UAAU,SAAS;AAClC,mCAAO,OAAO,CAAC,UAAU,SAAS;AAClC,mCAAO,OAAO,CAAC,IAAI,UAAU,OAAO;AACpC,mCAAO,OAAO,CAAC,IAAI,UAAU,OAAO;GACnC;AAEF,wBAAG,8CAA8C;AAShD,mCADeA,kDAPF;;;;;;EAOsB,CACrB,CAAC,UAAU,SAAO;GAC/B;AAEF,wBAAG,mCAAmC;EAgBrC,MAAM,SAASA,kDAfF;;;;;;;;;;;;;;EAesB;AACnC,mCAAO,OAAO,CAAC,UAAU,SAAO;AAChC,mCAAO,OAAO,CAAC,UAAU,WAAS;AAClC,mCAAO,OAAO,CAAC,UAAU,WAAS;AAClC,mCAAO,OAAO,CAAC,IAAI,UAAU,OAAO;GACnC;AAEF,wBAAG,sDAAsD;EACxD,MAAM,OAAO;AAEb,mCADeA,kDAAe,KAAK,CACrB,CAAC,KAAK,KAAK;GACxB;AAEF,wBAAG,wCAAwC;AAO1C,mCADeA,kDALF;;;;EAKsB,CACrB,CAAC,UAAU,QAAQ;GAChC;EACD"}

package/dist/deployers/strip-host-ports.test.d.cts

@@ -0,0 +1 @@
+export { };

package/dist/deployers/strip-host-ports.test.d.mts

@@ -0,0 +1 @@
+export { };

package/dist/deployers/strip-host-ports.test.mjs

@@ -0,0 +1,90 @@
+import { n as describe, r as it, t as globalExpect } from "../vi.2VT5v0um-CFyDIn0m.mjs";
+import { stripHostPorts } from "./strip-host-ports.mjs";
+
+//#region src/deployers/strip-host-ports.test.ts
+describe("stripHostPorts", () => {
+	it("strips host port from short syntax (host:container)", () => {
+		const result = stripHostPorts(`
+services:
+  web:
+    image: nginx
+    ports:
+      - "8080:80"
+      - "443:443"
+`);
+		globalExpect(result).toContain("\"80\"");
+		globalExpect(result).toContain("\"443\"");
+		globalExpect(result).not.toContain("8080");
+	});
+	it("strips host IP and port from extended short syntax", () => {
+		const result = stripHostPorts(`
+services:
+  web:
+    image: nginx
+    ports:
+      - "0.0.0.0:8080:80"
+`);
+		globalExpect(result).toContain("\"80\"");
+		globalExpect(result).not.toContain("8080");
+		globalExpect(result).not.toContain("0.0.0.0");
+	});
+	it("preserves protocol suffix", () => {
+		const result = stripHostPorts(`
+services:
+  web:
+    image: nginx
+    ports:
+      - "8080:80/tcp"
+      - "5353:53/udp"
+`);
+		globalExpect(result).toContain("80/tcp");
+		globalExpect(result).toContain("53/udp");
+		globalExpect(result).not.toContain("8080");
+		globalExpect(result).not.toContain("5353");
+	});
+	it("keeps container-only ports unchanged", () => {
+		globalExpect(stripHostPorts(`
+services:
+  web:
+    image: nginx
+    ports:
+      - "80"
+`)).toContain("\"80\"");
+	});
+	it("handles multiple services", () => {
+		const result = stripHostPorts(`
+services:
+  web:
+    image: nginx
+    ports:
+      - "8080:80"
+  redis:
+    image: redis
+    ports:
+      - "6379:6379"
+  searxng:
+    image: searxng/searxng
+    ports:
+      - "8888:8080"
+`);
+		globalExpect(result).toContain("\"80\"");
+		globalExpect(result).toContain("\"6379\"");
+		globalExpect(result).toContain("\"8080\"");
+		globalExpect(result).not.toContain("8888");
+	});
+	it("returns original YAML if no services section", () => {
+		const yaml = `version: "3"`;
+		globalExpect(stripHostPorts(yaml)).toBe(yaml);
+	});
+	it("handles services with no ports", () => {
+		globalExpect(stripHostPorts(`
+services:
+  web:
+    image: nginx
+`)).toContain("nginx");
+	});
+});
+
+//#endregion
+export {  };
+//# sourceMappingURL=strip-host-ports.test.mjs.map

package/dist/deployers/strip-host-ports.test.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"strip-host-ports.test.mjs","names":[],"sources":["../../src/deployers/strip-host-ports.test.ts"],"sourcesContent":["import { describe, expect, it } from \"vitest\";\nimport { stripHostPorts } from \"./strip-host-ports.js\";\n\ndescribe(\"stripHostPorts\", () => {\n\tit(\"strips host port from short syntax (host:container)\", () => {\n\t\tconst yaml = `\nservices:\n  web:\n    image: nginx\n    ports:\n      - \"8080:80\"\n      - \"443:443\"\n`;\n\t\tconst result = stripHostPorts(yaml);\n\t\texpect(result).toContain('\"80\"');\n\t\texpect(result).toContain('\"443\"');\n\t\texpect(result).not.toContain(\"8080\");\n\t});\n\n\tit(\"strips host IP and port from extended short syntax\", () => {\n\t\tconst yaml = `\nservices:\n  web:\n    image: nginx\n    ports:\n      - \"0.0.0.0:8080:80\"\n`;\n\t\tconst result = stripHostPorts(yaml);\n\t\texpect(result).toContain('\"80\"');\n\t\texpect(result).not.toContain(\"8080\");\n\t\texpect(result).not.toContain(\"0.0.0.0\");\n\t});\n\n\tit(\"preserves protocol suffix\", () => {\n\t\tconst yaml = `\nservices:\n  web:\n    image: nginx\n    ports:\n      - \"8080:80/tcp\"\n      - \"5353:53/udp\"\n`;\n\t\tconst result = stripHostPorts(yaml);\n\t\texpect(result).toContain(\"80/tcp\");\n\t\texpect(result).toContain(\"53/udp\");\n\t\texpect(result).not.toContain(\"8080\");\n\t\texpect(result).not.toContain(\"5353\");\n\t});\n\n\tit(\"keeps container-only ports unchanged\", () => {\n\t\tconst yaml = `\nservices:\n  web:\n    image: nginx\n    ports:\n      - \"80\"\n`;\n\t\tconst result = stripHostPorts(yaml);\n\t\texpect(result).toContain('\"80\"');\n\t});\n\n\tit(\"handles multiple services\", () => {\n\t\tconst yaml = `\nservices:\n  web:\n    image: nginx\n    ports:\n      - \"8080:80\"\n  redis:\n    image: redis\n    ports:\n      - \"6379:6379\"\n  searxng:\n    image: searxng/searxng\n    ports:\n      - \"8888:8080\"\n`;\n\t\tconst result = stripHostPorts(yaml);\n\t\texpect(result).toContain('\"80\"');\n\t\texpect(result).toContain('\"6379\"');\n\t\texpect(result).toContain('\"8080\"');\n\t\texpect(result).not.toContain(\"8888\");\n\t});\n\n\tit(\"returns original YAML if no services section\", () => {\n\t\tconst yaml = `version: \"3\"`;\n\t\tconst result = stripHostPorts(yaml);\n\t\texpect(result).toBe(yaml);\n\t});\n\n\tit(\"handles services with no ports\", () => {\n\t\tconst yaml = `\nservices:\n  web:\n    image: nginx\n`;\n\t\tconst result = stripHostPorts(yaml);\n\t\texpect(result).toContain(\"nginx\");\n\t});\n});\n"],"mappings":";;;;AAGA,SAAS,wBAAwB;AAChC,IAAG,6DAA6D;EAS/D,MAAM,SAAS,eARF;;;;;;;EAQsB;AACnC,eAAO,OAAO,CAAC,UAAU,SAAO;AAChC,eAAO,OAAO,CAAC,UAAU,UAAQ;AACjC,eAAO,OAAO,CAAC,IAAI,UAAU,OAAO;GACnC;AAEF,IAAG,4DAA4D;EAQ9D,MAAM,SAAS,eAPF;;;;;;EAOsB;AACnC,eAAO,OAAO,CAAC,UAAU,SAAO;AAChC,eAAO,OAAO,CAAC,IAAI,UAAU,OAAO;AACpC,eAAO,OAAO,CAAC,IAAI,UAAU,UAAU;GACtC;AAEF,IAAG,mCAAmC;EASrC,MAAM,SAAS,eARF;;;;;;;EAQsB;AACnC,eAAO,OAAO,CAAC,UAAU,SAAS;AAClC,eAAO,OAAO,CAAC,UAAU,SAAS;AAClC,eAAO,OAAO,CAAC,IAAI,UAAU,OAAO;AACpC,eAAO,OAAO,CAAC,IAAI,UAAU,OAAO;GACnC;AAEF,IAAG,8CAA8C;AAShD,eADe,eAPF;;;;;;EAOsB,CACrB,CAAC,UAAU,SAAO;GAC/B;AAEF,IAAG,mCAAmC;EAgBrC,MAAM,SAAS,eAfF;;;;;;;;;;;;;;EAesB;AACnC,eAAO,OAAO,CAAC,UAAU,SAAO;AAChC,eAAO,OAAO,CAAC,UAAU,WAAS;AAClC,eAAO,OAAO,CAAC,UAAU,WAAS;AAClC,eAAO,OAAO,CAAC,IAAI,UAAU,OAAO;GACnC;AAEF,IAAG,sDAAsD;EACxD,MAAM,OAAO;AAEb,eADe,eAAe,KAAK,CACrB,CAAC,KAAK,KAAK;GACxB;AAEF,IAAG,wCAAwC;AAO1C,eADe,eALF;;;;EAKsB,CACrB,CAAC,UAAU,QAAQ;GAChC;EACD"}