Introduce capability extension system for provisioning

[TimBeyer]

Summary

Refactor the hardcoded provisioning stages into a capability-focused extension system. Each feature (system packages, Homebrew, 1Password, Tailscale, OpenClaw, etc.) is now a self-contained, versioned capability module with lifecycle hooks, sequential migrations, config schema contributions, and an injected toolkit SDK.

Key Changes

• New @clawctl/capabilities package: Centralized capability definitions with atomic, reusable modules

  • registry.ts: Static registry of all capabilities with enable/disable logic
  • runner.ts: Phase runner that collects and executes hooks from enabled capabilities
  • state.ts: Capability state tracking for version-based migrations
  • agents-md.ts: Moved from host-core, now VM-side and capability-driven

• New ProvisionContext SDK (@clawctl/types): Injected into all capability steps

  • Replaces direct imports of VM-side tools
  • Provides unified interface for exec, file ops, network, shell profile, and config reading
  • Safe to import from both host CLI (config validation) and VM CLI (execution)

• Capability modules in packages/capabilities/src/capabilities/:

  • system-base.ts: APT packages, Node.js, systemd-linger (core)
  • homebrew.ts: Homebrew installation and shell profile (core)
  • openclaw.ts: OpenClaw install, env vars, gateway stub (core)
  • checkpoint.ts: Checkpoint skill (core)
  • tailscale.ts: Tailscale installation (optional)
  • one-password.ts: 1Password CLI, wrapper, exec-approvals, skills (optional)

• Helper modules in packages/capabilities/src/helpers/:

  • Ported tool logic from vm-cli/src/tools/ (apt, node, homebrew, tailscale, op-cli, openclaw, systemd, skills)
  • All parameterized with ProvisionContext instead of direct exec/fs imports

• VM-side integration:

  • vm-cli/src/capabilities/context.ts: Real ProvisionContext implementation wiring SDK to vm-cli primitives
  • vm-cli/src/commands/provision/index.ts: Refactored to use runPhase() from capabilities registry
  • Removed old stage files: stages.ts, system.ts, tools.ts, openclaw.ts, workspace.ts

• Host-side updates:

  • Removed host-core/src/agents-md.ts (moved to capabilities)
  • Updated provision.ts to write capability-aware config
  • Removed patchAgentsMd export (now VM-side responsibility)

• Type system:

  • New capability types in @clawctl/types/src/capability.ts: CapabilityDef, CapabilityHook, ProvisionContext, ProvisionResult, etc.
  • ProvisionConfig moved from types.ts to capability.ts with backwards-compat fields (onePassword, tailscale)
  • Capability-aware schema in types/src/schemas/index.ts

• Testing: Added comprehensive tests for registry and state modules

Notable Implementation Details

• Multi-phase hooks: Capabilities can define hooks for pre/main/post timing within each lifecycle phase
• Dependency resolution: Hooks are sorted by declared dependencies before execution
• Idempotent migrations: Sequential version-based migrations run only when installed version differs from declared version
• Backwards compatibility: Old config flags (onePassword, tailscale) still work via capability enabled() functions
• Doctor checks: Capabilities contribute health checks that are collected and run by the doctor command
• AGENTS.md patching: Now VM-side, assembled from capability contributions after workspace phase

https://claude.ai/code/session_01Mz4WN3iXvqi7hddiMjAkLx