@better-openclaw/core 1.0.23 → 1.0.25

package/dist/addon-stack.cjs

@@ -0,0 +1,673 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const require_skills = require("./skills-BlzpHmpH.cjs");
+const require_generators_postgres_init = require("./generators/postgres-init.cjs");
+const require_composer = require("./composer.cjs");
+const require_services_registry = require("./services/registry.cjs");
+const require_resolver = require("./resolver.cjs");
+const require_schema = require("./schema.cjs");
+let yaml = require("yaml");
+let node_crypto = require("node:crypto");
+//#region src/addon-stack.ts
+/** Services that Clawexa's cloud-init already provisions (or are mandatory platform services). */
+const INFRA_SERVICE_IDS = new Set([
+	"openclaw-gateway",
+	"openclaw-cli",
+	"redis",
+	"postgresql",
+	"open-webui",
+	"caddy",
+	"traefik",
+	"postgres-setup",
+	"convex",
+	"convex-dashboard",
+	"mission-control"
+]);
+/** Env keys managed by Clawexa's cloud-init — never include in addon env output. */
+const CLAWEXA_MANAGED_ENV_KEYS = new Set([
+	"COMPOSE_FILE",
+	"COMPOSE_PROFILES",
+	"OPENCLAW_VERSION",
+	"OPENCLAW_GATEWAY_TOKEN",
+	"OPENCLAW_GATEWAY_PORT",
+	"OPENCLAW_BRIDGE_PORT",
+	"OPENCLAW_GATEWAY_BIND",
+	"OPENCLAW_CONFIG_DIR",
+	"OPENCLAW_WORKSPACE_DIR",
+	"REDIS_PASSWORD",
+	"REDIS_HOST",
+	"REDIS_PORT",
+	"POSTGRES_USER",
+	"POSTGRES_PASSWORD",
+	"POSTGRES_DB",
+	"POSTGRES_HOST",
+	"POSTGRES_PORT"
+]);
+/** Sanitize instanceId into a valid Docker Compose project name. */
+function sanitizeProjectName(instanceId) {
+	return instanceId.toLowerCase().replace(/[^a-z0-9-]/g, "-").replace(/^-+|-+$/g, "").replace(/-{2,}/g, "-").slice(0, 64) || "addon";
+}
+/** Generate a cryptographically secure hex secret of the given byte length. */
+function generateHexSecret(bytes) {
+	return (0, node_crypto.randomBytes)(bytes).toString("hex");
+}
+/** Generate a cryptographically secure base64url secret of the given byte length. */
+function generateBase64UrlSecret(bytes) {
+	return (0, node_crypto.randomBytes)(bytes).toString("base64url");
+}
+/**
+* Check if a service requires user-provided credentials that are missing.
+* Returns the list of missing credential keys, or empty if all are satisfied.
+*
+* When `generateSecrets` is true, empty-default secrets are auto-generated
+* (passwords, tokens, etc.) and are NOT considered missing. Only secrets
+* with `validation` regex patterns (indicating specific format like API keys)
+* are flagged as missing when not provided by the user.
+*/
+function getMissingCredentials(def, userCredentials, generateSecrets) {
+	const missing = [];
+	for (const env of def.environment) {
+		if (!env.required || !env.secret) continue;
+		if (env.defaultValue && env.defaultValue.length > 0) continue;
+		if (userCredentials?.[env.key]) continue;
+		if (generateSecrets && !env.validation) continue;
+		missing.push(env.key);
+	}
+	return missing;
+}
+/**
+* Apply env quirks (from service definition) to the generated env values.
+* Handles: empty_string_crashes → set fixed value, min_length → generate longer secret,
+* must_sync → ensure two keys have the same value.
+*/
+function applyEnvQuirks(def, envValues, generateSecrets) {
+	if (!def.envQuirks) return;
+	for (const quirk of def.envQuirks) switch (quirk.issue) {
+		case "empty_string_crashes":
+			if (quirk.fix.type === "set_value" && quirk.fix.value !== void 0) envValues.set(quirk.key, quirk.fix.value);
+			break;
+		case "min_length": {
+			if (!generateSecrets) break;
+			const current = envValues.get(quirk.key) || "";
+			const minBytes = quirk.fix.minBytes || 24;
+			const minHexLen = minBytes * 2;
+			if (current.length < minHexLen) {
+				if (quirk.fix.type === "generate_hex") envValues.set(quirk.key, generateHexSecret(minBytes));
+				else if (quirk.fix.type === "generate_base64url") envValues.set(quirk.key, generateBase64UrlSecret(minBytes));
+			}
+			break;
+		}
+		case "must_sync":
+			if (quirk.fix.type === "sync_with" && quirk.fix.syncKey) {
+				const sourceValue = envValues.get(quirk.key) || envValues.get(quirk.fix.syncKey);
+				if (sourceValue) {
+					envValues.set(quirk.key, sourceValue);
+					envValues.set(quirk.fix.syncKey, sourceValue);
+				}
+			}
+			break;
+	}
+}
+/**
+* Build proxy routes from resolved addon services.
+*/
+function buildProxyRoutes(services) {
+	const routes = [];
+	for (const { definition: def } of services) {
+		const exposedPort = def.ports.find((p) => p.exposed);
+		if (!exposedPort) continue;
+		routes.push({
+			serviceId: def.id,
+			path: def.proxyPath || `/${def.id}`,
+			port: exposedPort.container,
+			protocol: "http",
+			stripPrefix: true
+		});
+	}
+	return routes;
+}
+/**
+* Build a minimal ComposeOptions suitable for addon stack generation.
+* No proxy, no gateway, no hardening by default.
+*/
+function buildAddonComposeOptions(projectName, input) {
+	return {
+		projectName,
+		proxy: "none",
+		gpu: false,
+		platform: input.platform ?? "linux/amd64",
+		deployment: "clawexa",
+		openclawVersion: input.openclawVersion ?? "latest",
+		openclawImage: "official",
+		hardened: false,
+		openclawInstallMethod: "docker"
+	};
+}
+/**
+* Resolve port conflicts between addon services and reserved ports.
+* Returns a map of serviceId → { originalPort → assignedPort }.
+*/
+function resolvePortConflicts(addonServices, reservedPorts, portOverrides) {
+	const usedPorts = new Set(reservedPorts);
+	const assignments = {};
+	const overrides = {};
+	for (const { definition: def } of addonServices) for (const port of def.ports) {
+		if (!port.exposed) continue;
+		const userOverride = portOverrides?.[def.id]?.[String(port.host)];
+		if (userOverride) {
+			usedPorts.add(userOverride);
+			assignments[`${def.id}:${port.container}`] = userOverride;
+			if (!overrides[def.id]) overrides[def.id] = {};
+			overrides[def.id][String(port.host)] = userOverride;
+			continue;
+		}
+		let assignedPort = port.host;
+		if (usedPorts.has(assignedPort)) {
+			assignedPort = port.host + 1e3;
+			while (usedPorts.has(assignedPort)) assignedPort++;
+			if (!overrides[def.id]) overrides[def.id] = {};
+			overrides[def.id][String(port.host)] = assignedPort;
+		}
+		usedPorts.add(assignedPort);
+		assignments[`${def.id}:${port.container}`] = assignedPort;
+	}
+	return {
+		assignments,
+		overrides
+	};
+}
+/**
+* Generates a Docker Compose override stack containing only addon services
+* for Clawexa managed instances. Infrastructure services (gateway, redis,
+* postgres, open-webui, caddy) are excluded since Clawexa's cloud-init
+* already provisions them.
+*
+* This function never throws. Errors are reported via `warnings` and
+* `metadata.skippedServices`.
+*/
+function generateAddonStack(rawInput) {
+	const warnings = [];
+	const skippedServices = [];
+	const generatedSecretKeys = [];
+	let input;
+	try {
+		input = require_schema.AddonStackInputSchema.parse(rawInput);
+	} catch (err) {
+		return emptyResult(`Invalid input: ${err instanceof Error ? err.message : String(err)}`);
+	}
+	const projectName = sanitizeProjectName(input.instanceId);
+	const addonServiceIds = input.services.filter((id) => {
+		if (INFRA_SERVICE_IDS.has(id)) {
+			warnings.push(`Service "${id}" is managed by Clawexa infrastructure and was excluded.`);
+			return false;
+		}
+		return true;
+	});
+	if (addonServiceIds.length === 0) return emptyResult("No addon services requested (all were infrastructure services).");
+	const validServiceIds = [];
+	for (const id of addonServiceIds) if (!require_services_registry.getServiceById(id)) skippedServices.push({
+		serviceId: id,
+		reason: "unknown_service",
+		details: `Service "${id}" does not exist in the registry.`
+	});
+	else validServiceIds.push(id);
+	if (validServiceIds.length === 0) return {
+		...emptyResultBase(),
+		metadata: {
+			...emptyResultBase().metadata,
+			skippedServices
+		},
+		warnings: [...warnings, "No valid addon services to deploy."]
+	};
+	let resolved;
+	try {
+		resolved = require_resolver.resolve({
+			services: validServiceIds,
+			skillPacks: input.skillPacks,
+			aiProviders: input.aiProviders,
+			platform: input.platform ?? "linux/amd64"
+		});
+	} catch (err) {
+		return {
+			...emptyResultBase(),
+			metadata: {
+				...emptyResultBase().metadata,
+				skippedServices
+			},
+			warnings: [...warnings, `Dependency resolution failed: ${err instanceof Error ? err.message : String(err)}`]
+		};
+	}
+	for (const w of resolved.warnings) warnings.push(w.message);
+	const addonResolved = [];
+	for (const svc of resolved.services) {
+		if (INFRA_SERVICE_IDS.has(svc.definition.id)) continue;
+		addonResolved.push(svc);
+	}
+	const deployableServices = [];
+	for (const svc of addonResolved) {
+		const def = svc.definition;
+		if (def.gitSource && def.buildContext && !def.image) {
+			if (!(def.prebuiltImage || input.prebuiltImages[def.id])) {
+				skippedServices.push({
+					serviceId: def.id,
+					reason: "no_image",
+					details: `Service "${def.name}" requires building from source but no pre-built image is available.`
+				});
+				continue;
+			}
+		}
+		if (def.gpuRequired && !input.gpu) {
+			skippedServices.push({
+				serviceId: def.id,
+				reason: "gpu_required",
+				details: `Service "${def.name}" requires a GPU but the host does not have GPU support.`
+			});
+			continue;
+		}
+		const userCreds = input.credentials[def.id];
+		const missing = getMissingCredentials(def, userCreds, input.generateSecrets);
+		if (missing.length > 0) {
+			skippedServices.push({
+				serviceId: def.id,
+				reason: "missing_credentials",
+				details: `Service "${def.name}" requires credentials: ${missing.join(", ")}`,
+				requiredCredentials: missing
+			});
+			continue;
+		}
+		deployableServices.push(svc);
+	}
+	if (deployableServices.length === 0) return {
+		...emptyResultBase(),
+		metadata: {
+			...emptyResultBase().metadata,
+			skippedServices
+		},
+		warnings: [...warnings, "No deployable addon services after filtering."]
+	};
+	const allReservedPorts = [...input.reservedPorts];
+	for (const existingId of input.existingServices) {
+		const existingDef = require_services_registry.getServiceById(existingId);
+		if (existingDef) {
+			for (const port of existingDef.ports) if (port.exposed) allReservedPorts.push(port.host);
+		}
+	}
+	const portConflicts = resolvePortConflicts(deployableServices, allReservedPorts, input.portOverrides);
+	const addonResolvedOutput = {
+		services: deployableServices,
+		addedDependencies: resolved.addedDependencies,
+		removedConflicts: resolved.removedConflicts,
+		warnings: resolved.warnings,
+		errors: [],
+		isValid: true,
+		estimatedMemoryMB: deployableServices.reduce((sum, s) => sum + (s.definition.minMemoryMB ?? 128), 0),
+		aiProviders: input.aiProviders ?? [],
+		gsdRuntimes: []
+	};
+	const composeOptions = buildAddonComposeOptions(projectName, input);
+	if (Object.keys(portConflicts.overrides).length > 0) composeOptions.portOverrides = portConflicts.overrides;
+	const services = {};
+	const allVolumes = /* @__PURE__ */ new Set();
+	const envValues = /* @__PURE__ */ new Map();
+	for (const svc of deployableServices) {
+		const def = svc.definition;
+		try {
+			let effectiveDef = def;
+			if (def.gitSource && def.buildContext && !def.image) {
+				const prebuiltImage = def.prebuiltImage || input.prebuiltImages[def.id];
+				if (prebuiltImage) {
+					const [img, tag] = prebuiltImage.includes(":") ? prebuiltImage.split(":") : [prebuiltImage, "latest"];
+					effectiveDef = {
+						...def,
+						image: img,
+						imageTag: tag,
+						gitSource: void 0,
+						buildContext: void 0
+					};
+				}
+			}
+			const { entry, volumeNames } = require_composer.buildCompanionService(effectiveDef, addonResolvedOutput, composeOptions, allVolumes);
+			delete entry.profiles;
+			if (entry.depends_on) {
+				const deps = entry.depends_on;
+				for (const depId of Object.keys(deps)) if (INFRA_SERVICE_IDS.has(depId)) delete deps[depId];
+				if (Object.keys(deps).length === 0) delete entry.depends_on;
+			}
+			services[def.id] = entry;
+			for (const v of volumeNames) allVolumes.add(v);
+			const userCreds = input.credentials[def.id];
+			if (userCreds) {
+				for (const [key, value] of Object.entries(userCreds)) envValues.set(key, value);
+				for (const envVar of def.environment) if (userCreds[envVar.key] && envVar.defaultValue?.startsWith("${") && envVar.defaultValue?.endsWith("}")) {
+					const refKey = envVar.defaultValue.slice(2, -1);
+					envValues.set(refKey, userCreds[envVar.key]);
+				}
+			}
+		} catch (err) {
+			skippedServices.push({
+				serviceId: def.id,
+				reason: "resolution_error",
+				details: `Failed to build compose entry: ${err instanceof Error ? err.message : String(err)}`
+			});
+			warnings.push(`Failed to process service "${def.name}": ${err instanceof Error ? err.message : String(err)}`);
+		}
+	}
+	const dbReqs = require_generators_postgres_init.getDbRequirements(addonResolvedOutput);
+	if (dbReqs.length > 0) {
+		const scriptLines = ["echo '=== PostgreSQL database setup (addon) ==='", "FAILED=0"];
+		for (const req of dbReqs) scriptLines.push(`echo "Setting up database '${req.dbName}' with user '${req.dbUser}'..."`, `psql -c "SELECT 1 FROM pg_roles WHERE rolname='${req.dbUser}'" | grep -q 1 || psql -c "CREATE ROLE ${req.dbUser} WITH LOGIN PASSWORD '$$${req.passwordEnvVar}'"`, `psql -c "ALTER ROLE ${req.dbUser} WITH LOGIN PASSWORD '$$${req.passwordEnvVar}'"`, `psql -tc "SELECT 1 FROM pg_database WHERE datname='${req.dbName}'" | grep -q 1 || psql -c "CREATE DATABASE ${req.dbName} OWNER ${req.dbUser}"`, `psql -c "GRANT ALL PRIVILEGES ON DATABASE ${req.dbName} TO ${req.dbUser}" || FAILED=1`, `echo "  Done: ${req.dbName}"`);
+		scriptLines.push("echo '=== All databases ready ==='", "exit $$FAILED");
+		const dbEnv = {
+			PGHOST: "postgresql",
+			PGUSER: "${POSTGRES_USER:-openclaw}",
+			PGDATABASE: "${POSTGRES_DB:-openclaw}",
+			PGPASSWORD: "${POSTGRES_PASSWORD}"
+		};
+		for (const req of dbReqs) dbEnv[req.passwordEnvVar] = `\${${req.passwordEnvVar}}`;
+		services["postgres-setup"] = {
+			image: "postgres:17-alpine",
+			depends_on: { postgresql: { condition: "service_healthy" } },
+			environment: dbEnv,
+			entrypoint: ["/bin/sh", "-c"],
+			command: [scriptLines.join("\n")],
+			restart: require_composer.quotedStr("no"),
+			networks: ["openclaw-network"]
+		};
+		for (const req of dbReqs) {
+			const svcEntry = services[req.serviceId];
+			if (svcEntry) {
+				const deps = svcEntry.depends_on || {};
+				deps["postgres-setup"] = { condition: "service_completed_successfully" };
+				svcEntry.depends_on = deps;
+			}
+		}
+	}
+	const envLines = [
+		"# ═══════════════════════════════════════════════════════════════════════════════",
+		"# OpenClaw Addon Stack Environment",
+		`# Instance: ${input.instanceId}`,
+		`# Generated at ${(/* @__PURE__ */ new Date()).toISOString()}`,
+		"# ═══════════════════════════════════════════════════════════════════════════════",
+		""
+	];
+	if (dbReqs.length > 0) {
+		envLines.push("# ── Per-Service Database Passwords ──────────────────────────────────────");
+		for (const req of dbReqs) {
+			const secretValue = input.generateSecrets ? generateHexSecret(24) : "";
+			envValues.set(req.passwordEnvVar, secretValue);
+			if (secretValue) generatedSecretKeys.push(req.passwordEnvVar);
+			envLines.push(`# PostgreSQL password for ${req.serviceName} (db: ${req.dbName}, user: ${req.dbUser})`);
+			envLines.push(`${req.passwordEnvVar}=${secretValue}`);
+			envLines.push("");
+		}
+	}
+	const seenKeys = new Set([...CLAWEXA_MANAGED_ENV_KEYS, ...dbReqs.map((r) => r.passwordEnvVar)]);
+	const envVarGroups = [];
+	for (const svc of deployableServices) {
+		const def = svc.definition;
+		const allEnvVars = [...def.environment, ...def.openclawEnvVars];
+		if (allEnvVars.length === 0) continue;
+		const groupVars = [];
+		envLines.push(`# ── ${def.icon} ${def.name} ──────────────────────────────────────`);
+		for (const envVar of allEnvVars) {
+			if (seenKeys.has(envVar.key)) continue;
+			seenKeys.add(envVar.key);
+			const userValue = input.credentials[def.id]?.[envVar.key];
+			let actualValue;
+			if (userValue !== void 0) actualValue = userValue;
+			else if (envVar.secret) if (envVar.defaultValue.startsWith("${") && envVar.defaultValue.endsWith("}")) {
+				const refKey = envVar.defaultValue.slice(2, -1);
+				actualValue = envValues.get(refKey) || envVar.defaultValue;
+			} else if (input.generateSecrets) {
+				actualValue = generateHexSecret(24);
+				generatedSecretKeys.push(envVar.key);
+			} else actualValue = envVar.defaultValue;
+			else actualValue = envVar.defaultValue;
+			envValues.set(envVar.key, actualValue);
+			envLines.push(`# ${envVar.description}`);
+			envLines.push(`${envVar.key}=${actualValue}`);
+			envLines.push("");
+			groupVars.push({
+				key: envVar.key,
+				description: envVar.description,
+				value: actualValue,
+				secret: envVar.secret
+			});
+		}
+		if (groupVars.length > 0) envVarGroups.push({
+			serviceName: def.name,
+			vars: groupVars
+		});
+	}
+	for (const svc of deployableServices) applyEnvQuirks(svc.definition, envValues, input.generateSecrets);
+	const quirkedKeys = /* @__PURE__ */ new Set();
+	const finalEnvLines = [];
+	for (const line of envLines) {
+		const trimmed = line.trim();
+		if (!trimmed || trimmed.startsWith("#")) {
+			finalEnvLines.push(line);
+			continue;
+		}
+		const eqIdx = trimmed.indexOf("=");
+		if (eqIdx > 0) {
+			const key = trimmed.slice(0, eqIdx);
+			quirkedKeys.add(key);
+			const fixedValue = envValues.get(key);
+			if (fixedValue !== void 0) finalEnvLines.push(`${key}=${fixedValue}`);
+			else finalEnvLines.push(line);
+		} else finalEnvLines.push(line);
+	}
+	for (const [key, value] of envValues) if (!quirkedKeys.has(key) && !seenKeys.has(key) && !CLAWEXA_MANAGED_ENV_KEYS.has(key)) {
+		finalEnvLines.push(`# Synced by env quirk`);
+		finalEnvLines.push(`${key}=${value}`);
+		finalEnvLines.push("");
+	}
+	const envFile = finalEnvLines.join("\n");
+	const skillFiles = require_skills.generateSkillFiles(addonResolvedOutput);
+	const skillEntries = {};
+	let skillCount = 0;
+	for (const svc of deployableServices) for (const skill of svc.definition.skills) if (skill.autoInstall) {
+		skillEntries[skill.skillId] = { enabled: true };
+		skillCount++;
+	}
+	const proxyRoutes = buildProxyRoutes(deployableServices);
+	const volumeMap = {};
+	for (const v of allVolumes) volumeMap[v] = null;
+	const composeDoc = { services };
+	if (Object.keys(volumeMap).length > 0) composeDoc.volumes = volumeMap;
+	composeDoc.networks = { "openclaw-network": { external: true } };
+	return {
+		composeOverride: (0, yaml.stringify)(composeDoc, require_composer.YAML_OPTIONS),
+		envFile,
+		envVars: envVarGroups,
+		skillFiles,
+		openclawConfigPatch: { skills: { entries: skillEntries } },
+		proxyRoutes,
+		metadata: {
+			serviceCount: Object.keys(services).length,
+			skillCount,
+			estimatedMemoryMB: addonResolvedOutput.estimatedMemoryMB,
+			resolvedServices: deployableServices.map((s) => s.definition.id),
+			skippedServices,
+			generatedSecretKeys,
+			portAssignments: portConflicts.assignments
+		},
+		warnings
+	};
+}
+/**
+* Incrementally updates an existing addon stack by adding or removing services.
+* Preserves existing env values (never overwrites user-customized values).
+*
+* This function never throws.
+*/
+function updateAddonStack(rawInput) {
+	const warnings = [];
+	let input;
+	try {
+		input = require_schema.AddonStackUpdateInputSchema.parse(rawInput);
+	} catch (err) {
+		return emptyUpdateResult(`Invalid input: ${err instanceof Error ? err.message : String(err)}`);
+	}
+	let currentServiceIds = [];
+	try {
+		const existingCompose = (0, yaml.parse)(input.currentCompose);
+		if (existingCompose?.services && typeof existingCompose.services === "object") currentServiceIds = Object.keys(existingCompose.services).filter((id) => id !== "postgres-setup");
+	} catch (err) {
+		warnings.push(`Failed to parse existing compose YAML: ${err instanceof Error ? err.message : String(err)}`);
+	}
+	const existingEnvMap = /* @__PURE__ */ new Map();
+	for (const line of input.currentEnv.split("\n")) {
+		const trimmed = line.trim();
+		if (!trimmed || trimmed.startsWith("#")) continue;
+		const eqIdx = trimmed.indexOf("=");
+		if (eqIdx > 0) existingEnvMap.set(trimmed.slice(0, eqIdx), trimmed.slice(eqIdx + 1));
+	}
+	new Set(input.addServices);
+	const removeSet = new Set(input.removeServices);
+	const desiredServiceIds = [...currentServiceIds.filter((id) => !removeSet.has(id)), ...input.addServices.filter((id) => !currentServiceIds.includes(id))];
+	const targetResult = generateAddonStack({
+		instanceId: input.instanceId,
+		services: desiredServiceIds,
+		skillPacks: [],
+		platform: input.platform,
+		openclawVersion: input.openclawVersion,
+		reservedPorts: input.reservedPorts,
+		generateSecrets: input.generateSecrets,
+		credentials: input.credentials,
+		portOverrides: input.portOverrides,
+		aiProviders: input.aiProviders,
+		prebuiltImages: input.prebuiltImages
+	});
+	const mergedEnvLines = [];
+	for (const line of targetResult.envFile.split("\n")) {
+		const trimmed = line.trim();
+		if (!trimmed || trimmed.startsWith("#")) {
+			mergedEnvLines.push(line);
+			continue;
+		}
+		const eqIdx = trimmed.indexOf("=");
+		if (eqIdx > 0) {
+			const key = trimmed.slice(0, eqIdx);
+			if (existingEnvMap.has(key)) mergedEnvLines.push(`${key}=${existingEnvMap.get(key)}`);
+			else mergedEnvLines.push(line);
+		} else mergedEnvLines.push(line);
+	}
+	const currentSet = new Set(currentServiceIds);
+	const targetSet = new Set(targetResult.metadata.resolvedServices);
+	const added = [...targetSet].filter((id) => !currentSet.has(id));
+	const removed = [...currentSet].filter((id) => !targetSet.has(id));
+	const unchanged = [...currentSet].filter((id) => targetSet.has(id));
+	const newSkillFiles = {};
+	const removedSkillSlugs = [];
+	for (const id of added) {
+		const def = require_services_registry.getServiceById(id);
+		if (!def) continue;
+		for (const skill of def.skills) {
+			const skillPath = Object.keys(targetResult.skillFiles).find((path) => path.includes(skill.skillId));
+			if (skillPath) newSkillFiles[skillPath] = targetResult.skillFiles[skillPath];
+		}
+	}
+	for (const id of removed) {
+		const def = require_services_registry.getServiceById(id);
+		if (!def) continue;
+		for (const skill of def.skills) removedSkillSlugs.push(skill.skillId);
+	}
+	const addProxyRoutes = targetResult.proxyRoutes.filter((r) => added.includes(r.serviceId));
+	const removeProxyRoutes = removed;
+	const imagesToPull = [];
+	for (const id of added) {
+		const def = require_services_registry.getServiceById(id);
+		if (def?.image && def?.imageTag) imagesToPull.push(`${def.image}:${def.imageTag}`);
+		else if (def?.prebuiltImage) imagesToPull.push(def.prebuiltImage);
+	}
+	let memoryDelta = 0;
+	for (const id of added) {
+		const def = require_services_registry.getServiceById(id);
+		memoryDelta += def?.minMemoryMB ?? 128;
+	}
+	for (const id of removed) {
+		const def = require_services_registry.getServiceById(id);
+		memoryDelta -= def?.minMemoryMB ?? 128;
+	}
+	const addSkillEntries = {};
+	for (const id of added) {
+		const def = require_services_registry.getServiceById(id);
+		if (!def) continue;
+		for (const skill of def.skills) if (skill.autoInstall) addSkillEntries[skill.skillId] = { enabled: true };
+	}
+	return {
+		composeOverride: targetResult.composeOverride,
+		envFile: mergedEnvLines.join("\n"),
+		newSkillFiles,
+		removedSkillSlugs,
+		openclawConfigPatch: { skills: {
+			add: addSkillEntries,
+			remove: removedSkillSlugs
+		} },
+		addProxyRoutes,
+		removeProxyRoutes,
+		imagesToPull,
+		restartRequired: added,
+		metadata: {
+			added,
+			removed,
+			unchanged,
+			estimatedMemoryDelta: memoryDelta
+		},
+		warnings: [...warnings, ...targetResult.warnings]
+	};
+}
+function emptyResultBase() {
+	return {
+		composeOverride: "services: {}\n",
+		envFile: "",
+		envVars: [],
+		skillFiles: {},
+		openclawConfigPatch: { skills: { entries: {} } },
+		proxyRoutes: [],
+		metadata: {
+			serviceCount: 0,
+			skillCount: 0,
+			estimatedMemoryMB: 0,
+			resolvedServices: [],
+			skippedServices: [],
+			generatedSecretKeys: [],
+			portAssignments: {}
+		},
+		warnings: []
+	};
+}
+function emptyResult(warning) {
+	return {
+		...emptyResultBase(),
+		warnings: [warning]
+	};
+}
+function emptyUpdateResult(warning) {
+	return {
+		composeOverride: "services: {}\n",
+		envFile: "",
+		newSkillFiles: {},
+		removedSkillSlugs: [],
+		openclawConfigPatch: { skills: {
+			add: {},
+			remove: []
+		} },
+		addProxyRoutes: [],
+		removeProxyRoutes: [],
+		imagesToPull: [],
+		restartRequired: [],
+		metadata: {
+			added: [],
+			removed: [],
+			unchanged: [],
+			estimatedMemoryDelta: 0
+		},
+		warnings: [warning]
+	};
+}
+//#endregion
+exports.generateAddonStack = generateAddonStack;
+exports.updateAddonStack = updateAddonStack;
+
+//# sourceMappingURL=addon-stack.cjs.map