@better-openclaw/core 1.0.24 → 1.0.26

package/src/composer.ts

@@ -23,7 +23,7 @@ function getOpenclawImage(variant: OpenclawImageVariant, version: string): strin
 }
 
 /** Creates a YAML scalar that is always quoted — avoids YAML 1.1 bare `no` → false. */
-function quotedStr(value: string): Scalar {
+export function quotedStr(value: string): Scalar {
 	const s = new Scalar(value);
 	s.type = Scalar.QUOTE_DOUBLE;
 	return s;
@@ -53,7 +53,7 @@ const CATEGORY_PROFILE_MAP: Partial<Record<ServiceCategory, { file: string; prof
 	"saas-boilerplate": { file: "docker-compose.saas.yml", profile: "saas" },
 };
 
-const YAML_OPTIONS = { lineWidth: 120, nullStr: "" };
+export const YAML_OPTIONS = { lineWidth: 120, nullStr: "" };
 
 // ── Shared Gateway Builder ──────────────────────────────────────────────────
 
@@ -222,7 +222,7 @@ function buildGatewayServices(
 
 // ── Shared Companion Service Builder ────────────────────────────────────────
 
-function buildCompanionService(
+export function buildCompanionService(
 	def: ResolverOutput["services"][number]["definition"],
 	resolved: ResolverOutput,
 	options: ComposeOptions,
@@ -445,7 +445,7 @@ function buildCompanionService(
  *
  * Returns null when no setup is needed (no PostgreSQL or no DB requirements).
  */
-function buildPostgresSetup(resolved: ResolverOutput): Record<string, unknown> | null {
+export function buildPostgresSetup(resolved: ResolverOutput): Record<string, unknown> | null {
 	const hasPostgres = resolved.services.some((s) => s.definition.id === "postgresql");
 	if (!hasPostgres) return null;
 

package/src/generators/postgres-init.ts

@@ -52,6 +52,8 @@ const DB_REQUIREMENTS: Record<string, Omit<DbRequirement, "serviceId" | "service
 	openpanel: { dbName: "openpanel", dbUser: "openpanel", passwordEnvVar: "OPENPANEL_DB_PASSWORD" },
 	usesend: { dbName: "usesend", dbUser: "usesend", passwordEnvVar: "USESEND_DB_PASSWORD" },
 	nextcloud: { dbName: "nextcloud", dbUser: "nextcloud", passwordEnvVar: "NEXTCLOUD_DB_PASSWORD" },
+	// ── Agent Memory ────────────────────────────────────────────────────────
+	hindsight: { dbName: "hindsight", dbUser: "hindsight", passwordEnvVar: "HINDSIGHT_DB_PASSWORD" },
 	// ── SaaS Boilerplates ────────────────────────────────────────────────────
 	"open-saas": { dbName: "opensaas", dbUser: "opensaas", passwordEnvVar: "OPENSAAS_DB_PASSWORD" },
 	"apptension-saas": {

package/src/generators/skills.ts

@@ -535,6 +535,148 @@ curl -X POST http://{{STEEL_HOST}}:{{STEEL_PORT}}/v1/scrape \\
 - Proxy support and IP rotation
 - Auto CAPTCHA solving
 - Puppeteer/Playwright/Selenium compatible
+`,
+
+	"code-sandbox": `---
+name: code-sandbox
+description: "Execute code safely in an isolated OpenSandbox container"
+metadata:
+  openclaw:
+    emoji: "📦"
+---
+
+# Code Sandbox
+
+Execute code safely in an isolated OpenSandbox container.
+
+## Description
+
+This skill provides secure, containerized code execution for AI agents. Code runs in ephemeral Docker containers with resource limits, network isolation, and automatic cleanup.
+
+## Connection Details
+
+- **Host:** \`{{OPENSANDBOX_HOST}}\`
+- **Port:** \`{{OPENSANDBOX_PORT}}\`
+- **Auth:** API key (auto-configured)
+
+## Supported Languages
+
+- Python 3.12
+- JavaScript / TypeScript (Node.js 22)
+- Java 21
+- Go 1.24
+- Bash
+
+## Available Actions
+
+### execute_code
+
+Run a code snippet in a fresh sandbox.
+
+**Parameters:**
+- \`language\` (required): Programming language ("python", "javascript", "typescript", "java", "go", "bash")
+- \`code\` (required): The code to execute
+- \`timeout_seconds\` (optional): Max execution time (default: 60, max: 300)
+
+**Returns:** stdout, stderr, exit_code, execution_time_ms
+
+### execute_shell
+
+Run a shell command in an existing or new sandbox.
+
+**Parameters:**
+- \`command\` (required): Shell command to execute
+- \`sandbox_id\` (optional): Reuse an existing sandbox (for multi-step workflows)
+- \`background\` (optional): Run in background (default: false)
+
+**Returns:** stdout, stderr, exit_code
+
+### upload_file
+
+Upload a file to a sandbox for processing.
+
+**Parameters:**
+- \`sandbox_id\` (required): Target sandbox
+- \`path\` (required): Destination path inside sandbox
+- \`content\` (required): File content (text or base64 for binary)
+
+### download_file
+
+Download a file from a sandbox.
+
+**Parameters:**
+- \`sandbox_id\` (required): Source sandbox
+- \`path\` (required): File path inside sandbox
+
+**Returns:** File content
+
+### list_sandboxes
+
+List active sandboxes on this instance.
+
+**Returns:** Array of { id, status, image, created_at, expires_at }
+
+### terminate_sandbox
+
+Terminate a running sandbox immediately.
+
+**Parameters:**
+- \`sandbox_id\` (required): Sandbox to terminate
+
+### create_desktop
+
+Create a GUI desktop sandbox with VNC access (for Homespace live preview).
+
+**Parameters:**
+- \`image\` (optional): Desktop image (default: "opensandbox/desktop:latest", also: "opensandbox/chrome:latest", "opensandbox/vscode:latest")
+- \`resolution\` (optional): Screen resolution (default: "1280x800x24")
+
+**Returns:** sandbox_id, vnc_endpoint (port 5900), novnc_url (port 6080 WebSocket), devtools_url (port 9222, chrome only)
+
+### get_preview_url
+
+Get the browser-accessible noVNC URL for an existing desktop sandbox.
+
+**Parameters:**
+- \`sandbox_id\` (required): Desktop sandbox ID
+
+**Returns:** novnc_url (embeddable in iframe), vnc_endpoint, status
+
+## Examples
+
+### Run Python code
+
+\`\`\`bash
+curl -X POST http://{{OPENSANDBOX_HOST}}:{{OPENSANDBOX_PORT}}/v1/sandboxes \\
+  -H "Authorization: Bearer $OPENSANDBOX_API_KEY" \\
+  -H "Content-Type: application/json" \\
+  -d '{"image": "opensandbox/code-interpreter:python"}'
+\`\`\`
+
+### Execute code in a sandbox
+
+\`\`\`bash
+curl -X POST http://{{OPENSANDBOX_HOST}}:{{OPENSANDBOX_PORT}}/v1/sandboxes/{id}/code \\
+  -H "Authorization: Bearer $OPENSANDBOX_API_KEY" \\
+  -H "Content-Type: application/json" \\
+  -d '{"language": "python", "code": "print(42 * 42)"}'
+\`\`\`
+
+## Configuration
+
+- **Default timeout:** 60 seconds
+- **Max concurrent sandboxes:** Determined by VPS RAM
+- **Idle cleanup:** Sandboxes with no activity for 30 minutes are auto-terminated
+- **Network:** Bridge mode (isolated from host services)
+- **Security:** gVisor runtime, capability dropping, PID limits
+
+## Limitations
+
+- No persistent storage between sandbox sessions (ephemeral by design)
+- No GPU access (CPU-only execution)
+- No outbound network access by default (egress blocked)
+- Max 512 PIDs per sandbox (fork bomb protection)
+- Memory capped per sandbox (default 512MB)
 `,
 };
 

package/src/index.ts

@@ -1,4 +1,5 @@
-// ─── Schemas ────────────────────────────────────────────────────────────────
+// ─── Addon Stack (Clawexa) ──────────────────────────────────────────────────
+export { generateAddonStack, updateAddonStack } from "./addon-stack.js";
 
 // ─── Core Engines ───────────────────────────────────────────────────────────
 export {
@@ -7,7 +8,7 @@ export {
 	resolvedWithOnlyServices,
 } from "./bare-metal-partition.js";
 export type { ComposeResult } from "./composer.js";
-export { compose, composeMultiFile } from "./composer.js";
+export { buildCompanionService, buildPostgresSetup, compose, composeMultiFile, quotedStr, YAML_OPTIONS } from "./composer.js";
 // ─── PaaS Deployers ─────────────────────────────────────────────────────────
 export type {
 	DeployInput as PaasDeployInput,
@@ -71,6 +72,10 @@ export {
 } from "./presets/registry.js";
 export { resolve } from "./resolver.js";
 export {
+	AddonStackInputSchema,
+	AddonStackResultSchema,
+	AddonStackUpdateInputSchema,
+	AddonStackUpdateResultSchema,
 	AddedDependencySchema,
 	ApiErrorSchema,
 	BuildContextSchema,
@@ -79,6 +84,8 @@ export {
 	DeploymentTypeSchema,
 	DeploySchema,
 	DeployTargetSchema,
+	EnvQuirkFixSchema,
+	EnvQuirkSchema,
 	EnvVariableSchema,
 	ErrorSchema,
 	GenerationInputSchema,
@@ -93,6 +100,7 @@ export {
 	PlatformSchema,
 	PortMappingSchema,
 	PresetSchema,
+	ProxyRouteSchema,
 	ProxyTypeSchema,
 	ResolvedServiceSchema,
 	ResolverOutputSchema,
@@ -102,6 +110,8 @@ export {
 	ServiceDefinitionSchema,
 	SkillBindingSchema,
 	SkillPackSchema,
+	SkippedServiceReasonSchema,
+	SkippedServiceSchema,
 	ValidateRequestSchema,
 	ValidateResponseSchema,
 	VolumeMappingSchema,
@@ -130,6 +140,10 @@ export {
 } from "./skills/skill-manifest.js";
 // ─── Types ──────────────────────────────────────────────────────────────────
 export type {
+	AddonStackInput,
+	AddonStackResult,
+	AddonStackUpdateInput,
+	AddonStackUpdateResult,
 	AddedDependency,
 	AiProvider,
 	ApiError,
@@ -140,6 +154,8 @@ export type {
 	DeploymentTarget,
 	DeploymentType,
 	DeployTarget,
+	EnvQuirk,
+	EnvQuirkFix,
 	EnvVariable,
 	GeneratedFiles,
 	GenerationInput,
@@ -157,6 +173,7 @@ export type {
 	Platform,
 	PortMapping,
 	Preset,
+	ProxyRoute,
 	ProxyType,
 	ResolvedService,
 	ResolverError,
@@ -168,6 +185,7 @@ export type {
 	ServiceDefinition,
 	SkillBinding,
 	SkillPack,
+	SkippedService,
 	ValidateRequest,
 	ValidateResponse,
 	VolumeMapping,

package/src/schema.ts

@@ -178,6 +178,24 @@ export const BuildContextSchema = z.object({
 	target: z.string().optional(),
 });
 
+// ─── Env Quirks (for addon stack generation) ────────────────────────────────
+
+export const EnvQuirkFixSchema = z.object({
+	type: z.enum(["set_value", "generate_hex", "generate_base64url", "sync_with"]),
+	/** Fixed value to set (for set_value type). */
+	value: z.string().optional(),
+	/** Minimum bytes for generated secrets (for generate_hex/generate_base64url). */
+	minBytes: z.number().int().min(1).optional(),
+	/** Key to synchronize with (for sync_with type). */
+	syncKey: z.string().optional(),
+});
+
+export const EnvQuirkSchema = z.object({
+	key: z.string(),
+	issue: z.enum(["empty_string_crashes", "min_length", "must_sync"]),
+	fix: EnvQuirkFixSchema,
+});
+
 // ─── Service Definition ─────────────────────────────────────────────────────
 
 export const ServiceDefinitionSchema = z.object({
@@ -236,6 +254,18 @@ export const ServiceDefinitionSchema = z.object({
 	// Bare-metal native (install/run on host when no Docker)
 	nativeSupported: z.boolean().optional(),
 	nativeRecipes: z.array(NativeRecipeSchema).optional(),
+
+	// Clawexa addon metadata
+	/** Whether the service works with cap_drop: ALL (default: undefined = not audited). */
+	capDropCompatible: z.boolean().optional(),
+	/** Pre-built Docker image for cloud-init deployment (replaces build: directives). */
+	prebuiltImage: z.string().optional(),
+	/** Default reverse proxy path (e.g. "/n8n", "/grafana"). */
+	proxyPath: z.string().optional(),
+	/** Linux capabilities needed at first boot (e.g. ["CHOWN", "SETGID"]). */
+	firstBootCapabilities: z.array(z.string()).optional(),
+	/** Known environment variable quirks that need special handling. */
+	envQuirks: z.array(EnvQuirkSchema).optional(),
 });
 
 // ─── Skill Pack ─────────────────────────────────────────────────────────────
@@ -364,6 +394,166 @@ export const ComposeOptionsSchema = z.object({
 	openclawInstallMethod: OpenclawInstallMethodSchema.default("docker"),
 });
 
+// ─── Addon Stack (Clawexa) ───────────────────────────────────────────────────
+
+export const SkippedServiceReasonSchema = z.enum([
+	"missing_credentials",
+	"no_image",
+	"platform_unsupported",
+	"conflict",
+	"gpu_required",
+	"unknown_service",
+	"resolution_error",
+]);
+
+export const SkippedServiceSchema = z.object({
+	serviceId: z.string(),
+	reason: SkippedServiceReasonSchema,
+	details: z.string(),
+	requiredCredentials: z.array(z.string()).optional(),
+});
+
+export const ProxyRouteSchema = z.object({
+	serviceId: z.string(),
+	path: z.string(),
+	port: z.number().int(),
+	protocol: z.enum(["http", "https", "ws"]).default("http"),
+	stripPrefix: z.boolean().default(true),
+});
+
+export const AddonStackInputSchema = z.object({
+	/** Instance identifier (used for project name sanitization). */
+	instanceId: z.string().min(1),
+	/** Addon service IDs to deploy. */
+	services: z.array(z.string()),
+	/** Optional skill packs. */
+	skillPacks: z.array(z.string()).default([]),
+	/** Platform architecture. */
+	platform: PlatformSchema.default("linux/amd64"),
+	/** OpenClaw version running on the instance. */
+	openclawVersion: z.string().default("latest"),
+	/** Services already running on the instance (to detect conflicts). */
+	existingServices: z.array(z.string()).default([]),
+	/** Ports already in use on the host. */
+	reservedPorts: z.array(z.number().int()).default([]),
+	/** Whether to generate secrets (default: true). */
+	generateSecrets: z.boolean().default(true),
+	/** User-provided credentials for services that need them. */
+	credentials: z.record(z.string(), z.record(z.string(), z.string())).default({}),
+	/** Port overrides for specific services. */
+	portOverrides: z.record(z.string(), z.record(z.string(), z.number().int().min(1).max(65535))).optional(),
+	/** Whether the host has GPU support. */
+	gpu: z.boolean().default(false),
+	/** AI providers configured on this instance. */
+	aiProviders: z.array(AiProviderSchema).default([]),
+	/** Pre-built image overrides (serviceId → image:tag). */
+	prebuiltImages: z.record(z.string(), z.string()).default({}),
+});
+
+export const AddonStackResultSchema = z.object({
+	/** Single docker-compose.override.yml content. */
+	composeOverride: z.string(),
+	/** Complete .env file with all secrets generated. */
+	envFile: z.string(),
+	/** Structured env vars for UI display / credential management. */
+	envVars: z.array(z.object({
+		serviceName: z.string(),
+		vars: z.array(z.object({
+			key: z.string(),
+			description: z.string(),
+			value: z.string(),
+			secret: z.boolean(),
+		})),
+	})),
+	/** SKILL.md files keyed by slug. */
+	skillFiles: z.record(z.string(), z.string()),
+	/** OpenClaw config additions (skills.entries to merge). */
+	openclawConfigPatch: z.object({
+		skills: z.object({
+			entries: z.record(z.string(), z.object({ enabled: z.boolean() })),
+		}),
+	}),
+	/** Port mapping for reverse proxy configuration. */
+	proxyRoutes: z.array(ProxyRouteSchema),
+	/** Additional files to write alongside compose (e.g. sandbox.toml). Keyed by filename. */
+	additionalFiles: z.record(z.string(), z.string()).default({}),
+	/** Metadata. */
+	metadata: z.object({
+		serviceCount: z.number(),
+		skillCount: z.number(),
+		estimatedMemoryMB: z.number(),
+		resolvedServices: z.array(z.string()),
+		skippedServices: z.array(SkippedServiceSchema),
+		generatedSecretKeys: z.array(z.string()),
+		portAssignments: z.record(z.string(), z.number()),
+		/** Docker images to pre-pull during cloud-init, grouped by priority. */
+		prePullImages: z.array(z.object({
+			image: z.string(),
+			priority: z.union([z.literal(1), z.literal(2), z.literal(3)]),
+		})).default([]),
+	}),
+	/** Warnings (non-fatal issues). */
+	warnings: z.array(z.string()),
+});
+
+export const AddonStackUpdateInputSchema = z.object({
+	instanceId: z.string().min(1),
+	/** Current compose override YAML (from the running instance). */
+	currentCompose: z.string(),
+	/** Current .env content. */
+	currentEnv: z.string(),
+	/** Services to add. */
+	addServices: z.array(z.string()).default([]),
+	/** Services to remove. */
+	removeServices: z.array(z.string()).default([]),
+	/** Whether to generate secrets for newly added services (default: true). */
+	generateSecrets: z.boolean().default(true),
+	/** User-provided credentials for new services. */
+	credentials: z.record(z.string(), z.record(z.string(), z.string())).default({}),
+	/** Port overrides for specific services. */
+	portOverrides: z.record(z.string(), z.record(z.string(), z.number().int().min(1).max(65535))).optional(),
+	/** Reserved ports. */
+	reservedPorts: z.array(z.number().int()).default([]),
+	platform: PlatformSchema.default("linux/amd64"),
+	openclawVersion: z.string().default("latest"),
+	aiProviders: z.array(AiProviderSchema).default([]),
+	prebuiltImages: z.record(z.string(), z.string()).default({}),
+});
+
+export const AddonStackUpdateResultSchema = z.object({
+	/** Updated compose override (merged with existing). */
+	composeOverride: z.string(),
+	/** Updated .env (existing values preserved, new ones added). */
+	envFile: z.string(),
+	/** Only NEW skill files to deploy. */
+	newSkillFiles: z.record(z.string(), z.string()),
+	/** Skill slugs to remove from openclaw.json. */
+	removedSkillSlugs: z.array(z.string()),
+	/** Config patch to apply. */
+	openclawConfigPatch: z.object({
+		skills: z.object({
+			add: z.record(z.string(), z.object({ enabled: z.boolean() })),
+			remove: z.array(z.string()),
+		}),
+	}),
+	/** New proxy routes to add. */
+	addProxyRoutes: z.array(ProxyRouteSchema),
+	/** Proxy routes to remove (service IDs). */
+	removeProxyRoutes: z.array(z.string()),
+	/** Services that need their images pulled. */
+	imagesToPull: z.array(z.string()),
+	/** Services to restart (due to dependency changes). */
+	restartRequired: z.array(z.string()),
+	/** Metadata. */
+	metadata: z.object({
+		added: z.array(z.string()),
+		removed: z.array(z.string()),
+		unchanged: z.array(z.string()),
+		estimatedMemoryDelta: z.number(),
+	}),
+	warnings: z.array(z.string()),
+});
+
 // ─── API Request/Response ───────────────────────────────────────────────────
 
 export const ValidateRequestSchema = z.object({

package/src/services/definitions/browserless.ts

@@ -81,4 +81,7 @@ export const browserlessDefinition: ServiceDefinition = {
 
 	minMemoryMB: 512,
 	gpuRequired: false,
+	capDropCompatible: false,
+	proxyPath: "/browserless",
+	firstBootCapabilities: ["SYS_ADMIN"],
 };

package/src/services/definitions/burnlink.ts

@@ -0,0 +1,142 @@
+import type { ServiceDefinition } from "../../types.js";
+
+export const burnlinkDefinition: ServiceDefinition = {
+	id: "burnlink",
+	name: "BurnLink",
+	description:
+		"Privacy-first, zero-knowledge file sharing with end-to-end browser-side AES-256-GCM encryption, one-time downloads, view-once mode, and brute-force protection.",
+	category: "storage",
+	icon: "🔥",
+
+	image: "diopisemou/burnlink",
+	imageTag: "latest",
+	ports: [
+		{
+			host: 3250,
+			container: 3000,
+			description: "BurnLink web interface",
+			exposed: true,
+		},
+	],
+	volumes: [],
+	environment: [
+		{
+			key: "PORT",
+			defaultValue: "3000",
+			secret: false,
+			description: "Server listen port",
+			required: false,
+		},
+		{
+			key: "SUPABASE_URL",
+			defaultValue: "",
+			secret: false,
+			description: "Supabase project URL for metadata storage",
+			required: true,
+		},
+		{
+			key: "SUPABASE_SERVICE_ROLE_KEY",
+			defaultValue: "",
+			secret: true,
+			description: "Supabase service role key",
+			required: true,
+		},
+		{
+			key: "R2_ACCOUNT_ID",
+			defaultValue: "",
+			secret: false,
+			description: "Cloudflare R2 account ID (or MinIO endpoint for self-hosted)",
+			required: true,
+		},
+		{
+			key: "R2_ACCESS_KEY_ID",
+			defaultValue: "",
+			secret: true,
+			description: "S3-compatible storage access key",
+			required: true,
+		},
+		{
+			key: "R2_SECRET_ACCESS_KEY",
+			defaultValue: "",
+			secret: true,
+			description: "S3-compatible storage secret key",
+			required: true,
+		},
+		{
+			key: "R2_BUCKET_NAME",
+			defaultValue: "burnlink",
+			secret: false,
+			description: "Storage bucket name for encrypted files",
+			required: true,
+		},
+		{
+			key: "CANONICAL_BASE_URL",
+			defaultValue: "",
+			secret: false,
+			description: "Public URL for share links (e.g., https://burn.example.com)",
+			required: false,
+		},
+		{
+			key: "MAX_UPLOAD_BYTES",
+			defaultValue: "1073741824",
+			secret: false,
+			description: "Max file upload size in bytes (default 1 GB)",
+			required: false,
+		},
+		{
+			key: "NODE_ENV",
+			defaultValue: "production",
+			secret: false,
+			description: "Node environment (production enables rate limiting)",
+			required: false,
+		},
+	],
+	healthcheck: {
+		test: "wget -q --spider http://localhost:3000/ || exit 1",
+		interval: "30s",
+		timeout: "10s",
+		retries: 3,
+		startPeriod: "15s",
+	},
+	dependsOn: [],
+	restartPolicy: "unless-stopped",
+	networks: ["openclaw-network"],
+
+	skills: [],
+	openclawEnvVars: [
+		{
+			key: "BURNLINK_HOST",
+			defaultValue: "burnlink",
+			secret: false,
+			description: "BurnLink hostname",
+			required: false,
+		},
+		{
+			key: "BURNLINK_PORT",
+			defaultValue: "3000",
+			secret: false,
+			description: "BurnLink internal port",
+			required: false,
+		},
+	],
+
+	docsUrl: "https://github.com/diopisemou/BurnLink",
+	tags: ["file-sharing", "encryption", "privacy", "zero-knowledge", "self-destruct"],
+	maturity: "beta",
+
+	requires: [],
+	recommends: ["supabase", "minio"],
+	conflictsWith: [],
+
+	minMemoryMB: 128,
+	gpuRequired: false,
+	capDropCompatible: true,
+	proxyPath: "/burnlink",
+	envQuirks: [
+		{
+			key: "R2_SECRET_ACCESS_KEY",
+			issue: "min_length" as const,
+			fix: { type: "generate_base64url" as const, minBytes: 24 },
+		},
+	],
+};

package/src/services/definitions/convex.ts

@@ -89,6 +89,14 @@ export const convexDefinition: ServiceDefinition = {
 				"Admin key for CLI access. Generate with: docker compose exec convex ./generate_admin_key.sh",
 			required: false,
 		},
+		{
+			key: "CONVEX_INSTANCE_SECRET",
+			defaultValue: "${INSTANCE_SECRET}",
+			secret: true,
+			description:
+				"Convex instance secret used by Mission Control (synced with INSTANCE_SECRET)",
+			required: false,
+		},
 	],
 	healthcheck: {
 		test: "curl -f http://localhost:3210/version",
@@ -118,4 +126,27 @@ export const convexDefinition: ServiceDefinition = {
 
 	minMemoryMB: 256,
 	gpuRequired: false,
+	capDropCompatible: false,
+	envQuirks: [
+		{
+			key: "DISABLE_BEACON",
+			issue: "empty_string_crashes" as const,
+			fix: { type: "set_value" as const, value: "true" },
+		},
+		{
+			key: "INSTANCE_SECRET",
+			issue: "min_length" as const,
+			fix: { type: "generate_hex" as const, minBytes: 32 },
+		},
+		{
+			key: "CONVEX_SELF_HOSTED_ADMIN_KEY",
+			issue: "min_length" as const,
+			fix: { type: "generate_hex" as const, minBytes: 32 },
+		},
+		{
+			key: "INSTANCE_SECRET",
+			issue: "must_sync" as const,
+			fix: { type: "sync_with" as const, syncKey: "CONVEX_INSTANCE_SECRET" },
+		},
+	],
 };

package/src/services/definitions/grafana.ts

@@ -80,4 +80,13 @@ export const grafanaDefinition: ServiceDefinition = {
 
 	minMemoryMB: 256,
 	gpuRequired: false,
+	capDropCompatible: true,
+	proxyPath: "/grafana",
+	envQuirks: [
+		{
+			key: "GF_SECURITY_ADMIN_PASSWORD",
+			issue: "min_length" as const,
+			fix: { type: "generate_base64url" as const, minBytes: 16 },
+		},
+	],
 };